diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..bee8a64b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +__pycache__ diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 10ea0305..36676c0c 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13471,7 +13471,29 @@ }, "uuid": "6cfa553a-1e1b-115a-401f-015d681470b1", "value": "GetCrypt" + }, + { + "description": "A new ransomware family dubbed “Nemty” for the extension it adds to encrypted files has recently surfaced in the wild. According to a report from Bleeping Computer, New York-based reverse engineer Vitali Kremez posits that Nemty is possibly delivered through exposed remote desktop connections.", + "meta": { + "payment-method": "Bitcoin", + "price": "1000 $", + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections" + ] + }, + "uuid": "6cfa554a-1e2b-115a-400f-014d671470b1", + "value": "Nemty" + }, + { + "description": "Buran is a new version of the Vega ransomware strain (a.k.a. Jamper, Ghost, Buhtrap) that attacked accountants from February through April 2019. The new Buran ransomware first was discovered by nao_sec in June 2019, delivered by the RIG Exploit Kit, as reported by BleepingComputer.", + "meta": { + "refs": [ + "https://www.acronis.com/en-us/blog/posts/meet-buran-new-delphi-ransomware-delivered-rig-exploit-kit" + ] + }, + "uuid": "6cfa554a-1e1b-114a-300f-013d671370b0", + "value": "Buran" } ], - "version": 64 + "version": 66 } diff --git a/clusters/target-information.json b/clusters/target-information.json index c3165973..23cdd166 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -1493,7 +1493,7 @@ "Zhōnghuá Rénmín Gònghéguó" ], "territory-type": [ - "" + "Country" ] }, "uuid": "53d3d205-db31-4ec9-86aa-c2bf11fd18e6", @@ -2154,7 +2154,7 @@ "currency": [ "$", "USD", - "United States dollara" + "United States dollar" ], "iso-code": [ "SV", @@ -2517,10 +2517,27 @@ "calling-code": [ "+241" ], + "capital": [ + "Libreville" + ], + "currency": [ + "Central African CFA franc", + "XAF" + ], "iso-code": [ "GA", "GAB" ], + "official-languages": [ + "French" + ], + "synomyms": [ + "Gabonese Republic", + "République gabonaise" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ga" }, "uuid": "8e70d742-c708-4a9e-8ab1-6a8a90306ccf", @@ -2531,10 +2548,28 @@ "calling-code": [ "+220" ], + "capital": [ + "Banjul" + ], + "currency": [ + "Dalasi", + "GMD" + ], "iso-code": [ "GM", "GMB" - ] + ], + "official-languages": [ + "English" + ], + "synomyms": [ + "The Gambia", + "Republic of The Gambia" + ], + "territory-type": [ + "Country" + ], + "top-level-domain": ".gm" }, "uuid": "2ded2689-16c3-4476-a2d8-04c4bc51ae4a", "value": "Gambia" @@ -2544,10 +2579,32 @@ "calling-code": [ "+995" ], + "capital": [ + "Tbilisi" + ], + "currency": [ + "Georgian lari", + "₾", + "GEL" + ], "iso-code": [ "GE", "GEO" ], + "official-languages": [ + "Georgian", + "Abkhazian" + ], + "synomyms": [ + "საქართველო", + "sakartvelo", + "Republic of Georgia", + "საქართველოს რესპუბლიკა", + "sakartvelos resp'ublik'a" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ge" }, "uuid": "76c2f2fe-ce68-4008-aa30-1ac8de38d617", @@ -2558,6 +2615,14 @@ "calling-code": [ "+49" ], + "capital": [ + "Berlin" + ], + "currency": [ + "€", + "EUR", + "EURO" + ], "iso-code": [ "DE", "DEU" @@ -2565,6 +2630,17 @@ "member-of": [ "NATO" ], + "official-languages": [ + "German" + ], + "synomyms": [ + "Deutschland", + "Federal Republic of Germany", + "Bundesrepublik Deutschland" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".de" }, "uuid": "4121d334-39d0-49c4-8a0e-0442c6bdcbc4", @@ -2575,10 +2651,26 @@ "calling-code": [ "+233" ], + "capital": [ + "Accra" + ], + "currency": [ + "Ghanaian cedi", + "GHS" + ], "iso-code": [ "GH", "GHA" ], + "official-languages": [ + "English" + ], + "synomyms": [ + "Republic of Ghana" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".gh" }, "uuid": "6f7a0f04-8299-4a2d-95d0-a8305a1ae23e", @@ -2589,10 +2681,29 @@ "calling-code": [ "+350" ], + "capital": [ + "Gibraltar" + ], + "currency": [ + "Gibraltar pound", + "£", + "GIP" + ], "iso-code": [ "GI", "GIB" - ] + ], + "official-languages": [ + "English" + ], + "synomyms": [ + "جبل طارق", + "Jabal Ṭāriq" + ], + "territory-type": [ + "British Overseas Territory" + ], + "top-level-domain": ".gi" }, "uuid": "078a914d-7ef3-413b-8a62-2473b8db1c12", "value": "Gibraltar" @@ -2602,6 +2713,14 @@ "calling-code": [ "+30" ], + "capital": [ + "Athens" + ], + "currency": [ + "€", + "EUR", + "EURO" + ], "iso-code": [ "GR", "GRC" @@ -2609,6 +2728,19 @@ "member-of": [ "NATO" ], + "official-languages": [ + "Greek" + ], + "synomyms": [ + "Hellas", + "Ελλάς", + "Hellenic Republic", + "Ελληνική Δημοκρατία", + "Ellinikí Dimokratía" + ], + "territory-type": [ + "sovereign state" + ], "top-level-domain": ".gr" }, "uuid": "505730f7-2637-4efb-845d-f1af7cdca109", @@ -2619,10 +2751,28 @@ "calling-code": [ "+299" ], + "capital": [ + "Nuuk" + ], + "currency": [ + "Danish krone", + "DKK" + ], "iso-code": [ "GL", "GRL" - ] + ], + "official-languages": [ + "Greenandic" + ], + "synomyms": [ + "Kalaallit Nunaat", + "Grønland" + ], + "territory-type": [ + "Country" + ], + "top-level-domain": ".gl" }, "uuid": "20f2c544-093d-4964-84ae-7d5fd54ad6d0", "value": "Greenland" @@ -2632,10 +2782,23 @@ "calling-code": [ "+1-473" ], + "capital": [ + "St. George's" + ], + "currency": [ + "East Caribbean dollar", + "XCD" + ], "iso-code": [ "GD", "GRD" ], + "official-languages": [ + "English" + ], + "territory-type": [ + "sovereign state" + ], "top-level-domain": ".gd" }, "uuid": "1aea4486-eef7-496b-9a69-a2d2bdbe7b77", @@ -2646,10 +2809,30 @@ "calling-code": [ "+1-671" ], + "capital": [ + "Hagåtña" + ], + "currency": [ + "$", + "USD", + "United States dollar" + ], "iso-code": [ "GU", "GUM" - ] + ], + "official-languages": [ + "English", + "Chamorro" + ], + "synomyms": [ + "Guåhån", + "Territory of Guam" + ], + "territory-type": [ + "Unincorporated organized territory" + ], + "top-level-domain": ".gu" }, "uuid": "4dc24d07-79ee-43b7-98a0-53bc79a29708", "value": "Guam" @@ -2659,10 +2842,27 @@ "calling-code": [ "+502" ], + "capital": [ + "Guatemala City" + ], + "currency": [ + "Quetzal", + "GTQ" + ], "iso-code": [ "GT", "GTM" ], + "official-languages": [ + "Spanish" + ], + "synomyms": [ + "Republic of Guatemala", + "República de Guatemala" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".gt" }, "uuid": "3e3e89d2-07f3-4ddc-addf-2d5cb05bedd1", @@ -2673,10 +2873,30 @@ "calling-code": [ "+44-1481" ], + "capital": [ + "St Peter Port" + ], + "currency": [ + "Guernsey Pound", + "Pound sterling", + "GGP", + "GBP" + ], "iso-code": [ "GG", "GGY" - ] + ], + "official-languages": [ + "English", + "French" + ], + "synomyms": [ + "Guernési" + ], + "territory-type": [ + "Jurisdiction" + ], + "top-level-domain": ".gg" }, "uuid": "dd42b40e-2740-46f5-9bb1-6d0799a081c7", "value": "Guernsey" @@ -2686,10 +2906,30 @@ "calling-code": [ "+224" ], + "capital": [ + "Conakry" + ], + "currency": [ + "Guinean franc", + "GNF" + ], "iso-code": [ "GN", "GIN" ], + "official-languages": [ + "French" + ], + "synomyms": [ + "Ginee", + "Guinée", + "Republic of Guinea", + "Renndaandi Ginee", + "République de Guinée (French)" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".gn" }, "uuid": "f227edf8-e538-45b8-8a70-1a05ea5a605b", @@ -2700,10 +2940,28 @@ "calling-code": [ "+245" ], + "capital": [ + "Bisseau" + ], + "currency": [ + "West African CFA franc", + "XOF" + ], "iso-code": [ "GW", "GNB" ], + "official-languages": [ + "Portuguese" + ], + "synomyms": [ + "Guiné-Bissau", + "Republic of Guinea-Bissau", + "República da Guiné-Bissau" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".gw" }, "uuid": "3b5824bc-936e-4403-bdc9-4dd9a7db36e3", @@ -2714,10 +2972,26 @@ "calling-code": [ "+592" ], + "capital": [ + "Georgetown" + ], + "currency": [ + "Guyanese dollar", + "GYD" + ], "iso-code": [ "GY", "GUY" ], + "official-languages": [ + "English" + ], + "synomyms": [ + "Co-operative Republic of Guyana" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".gy" }, "uuid": "cb9fbca4-6cc6-4f83-9ebc-4e975cddea69", @@ -2728,10 +3002,33 @@ "calling-code": [ "+509" ], + "capital": [ + "Port-au-Prince" + ], + "currency": [ + "Haitian gourde", + "G", + "HTG" + ], "iso-code": [ "HT", "HTI" ], + "official-languages": [ + "French", + "Haitian Creole" + ], + "synomyms": [ + "Haïti", + "Ayiti", + "Republic of Haiti", + "République d'Haïti", + "Repiblik Ayiti", + "Hayti" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ht" }, "uuid": "595dd000-64ac-43b5-be17-0f52eff47459", @@ -2742,10 +3039,27 @@ "calling-code": [ "+504" ], + "capital": [ + "Tegucigalpa" + ], + "currency": [ + "Lempira", + "HNL" + ], "iso-code": [ "HN", "HND" ], + "official-languages": [ + "Spanish" + ], + "synomyms": [ + "Republic of Honduras", + "República de Honduras" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".hn" }, "uuid": "74a66006-ce2b-4280-abd1-e6f14ff9b926", @@ -2756,10 +3070,25 @@ "calling-code": [ "+852" ], + "currency": [ + "Hong Kong dollar", + "HK$", + "HKD" + ], "iso-code": [ "HK", "HKG" ], + "official-languages": [ + "Chinese", + "English" + ], + "synomyms": [ + "Hong Kong Special Administrative Region of the People's Republic of China" + ], + "territory-type": [ + "special administrative region" + ], "top-level-domain": ".hk" }, "uuid": "51c8ffc5-5453-4bf8-b100-74186d9a0de0", @@ -2770,6 +3099,13 @@ "calling-code": [ "+36" ], + "capital": [ + "Budapest" + ], + "currency": [ + "Forint", + "HUF" + ], "iso-code": [ "HU", "HUN" @@ -2777,6 +3113,15 @@ "member-of": [ "NATO" ], + "official-languages": [ + "Hungarian" + ], + "synomyms": [ + "Magyarország" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".hu" }, "uuid": "adc52cee-5668-498d-8111-db1c38a584c5", @@ -2787,6 +3132,13 @@ "calling-code": [ "+354" ], + "capital": [ + "Reykjavík" + ], + "currency": [ + "Icelandic króna", + "ISK" + ], "iso-code": [ "IS", "ISL" @@ -2794,6 +3146,15 @@ "member-of": [ "NATO" ], + "official-languages": [ + "Icelandic" + ], + "synomyms": [ + "Ísland" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".is" }, "uuid": "5bcfbed4-d9af-40ab-bcbd-013cad252570", @@ -2804,10 +3165,29 @@ "calling-code": [ "+91" ], + "capital": [ + "New Delhi" + ], + "currency": [ + "Indian rupee", + "₹", + "INR" + ], "iso-code": [ "IN", "IND" ], + "official-languages": [ + "Hindi", + "English" + ], + "synomyms": [ + "Republic of India", + "Bhārat Gaṇarājya" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".in" }, "uuid": "283a7b58-9fa6-48c8-95bc-9ece77b5b2ea", @@ -2818,10 +3198,28 @@ "calling-code": [ "+62" ], + "capital": [ + "Jakarta" + ], + "currency": [ + "Indonesian rupiah", + "Rp", + "IDR" + ], "iso-code": [ "ID", "IDN" ], + "official-languages": [ + "Indonesian" + ], + "synomyms": [ + "Republic of Indonesia", + "Republik Indonesia" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".id" }, "uuid": "417b5c63-a388-45d1-b104-cede98b13fe0", @@ -2832,10 +3230,30 @@ "calling-code": [ "+98" ], + "capital": [ + "Tehran" + ], + "currency": [ + "Rial", + "ریال", + "IRR" + ], "iso-code": [ "IR", "IRN" ], + "official-languages": [ + "Persian" + ], + "synomyms": [ + "Persia", + "Islamic Republic of Iran", + "جمهوری اسلامی ایران", + "Jomhuri-ye Eslāmi-ye Irān" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ir" }, "uuid": "12b32332-ead1-4f69-be61-69ab1ed27d01", @@ -2846,10 +3264,36 @@ "calling-code": [ "+964" ], + "capital": [ + "Baghdad" + ], + "currency": [ + "Iraqi dinar", + "IQD" + ], "iso-code": [ "IQ", "IRQ" ], + "official-languages": [ + "Arabic", + "Kurdish" + ], + "synomyms": [ + "العراق", + "al-'Irāq", + "عێراق‎", + "Êraq", + "Republic of Iraq", + "جمهورية العراق", + "کۆماری عێراق", + "کۆمارا ئێـراقێ", + "Jumhūrīyyat al-'Irāq", + "Komarî Êraq" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".iq" }, "uuid": "625f37bd-fe48-4791-ac1e-be8d069643a1", @@ -2860,10 +3304,29 @@ "calling-code": [ "+353" ], + "capital": [ + "Dublin" + ], + "currency": [ + "€", + "EUR", + "EURO" + ], "iso-code": [ "IE", "IRL" ], + "official-languages": [ + "Irish", + "English" + ], + "synomyms": [ + "Éire", + "Republic of Ireland" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ie" }, "uuid": "b1243ef1-78f4-4e10-841d-bc61361f21f8", @@ -2874,10 +3337,32 @@ "calling-code": [ "+44-1624" ], + "capital": [ + "Douglas" + ], + "currency": [ + "Pound sterling", + "GBP", + "Manx pound", + "IMP" + ], "iso-code": [ "IM", "IMN" - ] + ], + "official-languages": [ + "English", + "Manx" + ], + "synomyms": [ + "Mannin", + "Ellan Vannin", + "Mann" + ], + "territory-type": [ + "Crown dependency" + ], + "top-level-domain": ".im" }, "uuid": "57855966-b290-47e2-b098-1d903f4163b8", "value": "Isle of Man" @@ -2887,10 +3372,29 @@ "calling-code": [ "+972" ], + "capital": [ + "Jerusalem" + ], + "currency": [ + "New shekel", + "₪", + "‎ILS" + ], "iso-code": [ "IL", "ISR" ], + "official-languages": [ + "Hebrew" + ], + "synomyms": [ + "יִשְׂרָאֵל", + "إِسْرَائِيل‎", + "State of Israel" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".il" }, "uuid": "3273414a-8331-44cc-b3f6-890bf2363607", @@ -2901,6 +3405,14 @@ "calling-code": [ "+39" ], + "capital": [ + "Rome" + ], + "currency": [ + "€", + "EUR", + "EURO" + ], "iso-code": [ "IT", "ITA" @@ -2908,6 +3420,17 @@ "member-of": [ "NATO" ], + "official-languages": [ + "Italian" + ], + "synomyms": [ + "Italia", + "Italian Republic", + "Repubblica Italiana" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".it" }, "uuid": "1bcc0b11-d906-40ea-910c-a1124c4d82bd", @@ -2918,10 +3441,29 @@ "calling-code": [ "+225" ], + "capital": [ + "Yamoussoukro", + "Abidjan" + ], + "currency": [ + "West African CFA franc", + "XOF" + ], "iso-code": [ "CI", "CIV" ], + "official-languages": [ + "French" + ], + "synomyms": [ + "Côte d'Ivoire", + "Republic of Côte d'Ivoire", + "République de Côte d'Ivoire" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ci" }, "uuid": "c1aac71f-b060-4816-9369-451df1550883", diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 30ad8d07..930ee7de 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3735,10 +3735,12 @@ "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", - "https://attack.mitre.org/groups/G0037/" + "https://attack.mitre.org/groups/G0037/", + "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" ], "synonyms": [ - "Skeleton Spider" + "Skeleton Spider", + "ITG08" ] }, "related": [ @@ -4675,7 +4677,8 @@ "https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" ], "synonyms": [ - "Machete" + "Machete", + "machete-apt" ] }, "uuid": "827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3", @@ -6911,7 +6914,11 @@ "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware", "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", "https://threatpost.com/ta505-servhelper-malware/140792/", - "https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/" + "https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/", + "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/" + ], + "synonyms": [ + "SectorJ04 Group" ] }, "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", @@ -7643,6 +7650,15 @@ "uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d", "value": "TA428" }, + { + "meta": { + "refs": [ + "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" + ] + }, + "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", + "value": "LYCEUM" + }, { "description": "APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.", "meta": { @@ -7694,5 +7710,5 @@ "value": "SectorJ04" } ], - "version": 129 + "version": 131 } diff --git a/tools/__init__.py b/tools/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/tools/chk_dup.py b/tools/chk_dup.py index 2ed2f897..9df3000e 100755 --- a/tools/chk_dup.py +++ b/tools/chk_dup.py @@ -8,9 +8,19 @@ import os import collections -def loadjsons(path): +def loadjsons(path, return_paths=False): """ - Find all Jsons and load them in a dict + Find all Jsons and load them in a dict + + Parameters: + path: string + return_names: boolean, if the name of the file should be returned, + default: False + + Returns: + List of parsed file contents. + If return_paths is True, then every list item is a tuple of the + file name and the file content """ files = [] data = [] @@ -18,9 +28,14 @@ def loadjsons(path): if os.path.isfile(os.path.join(path, name)) and name.endswith('.json'): files.append(name) for jfile in files: - data.append(json.load(open("%s/%s" % (path, jfile)))) + filepath = os.path.join(path, jfile) + if return_paths: + data.append((filepath, json.load(open(filepath)))) + else: + data.append(json.load(json.load(open(filepath)))) return data + if __name__ == '__main__': """ Iterate all name + synonyms @@ -33,19 +48,19 @@ if __name__ == '__main__': items = djson.get('values') for entry in items: name = entry.get('value').strip().lower() - counter[name]+=1 + counter[name] += 1 namespace.append([name, djson.get('name')]) try: for synonym in entry.get('meta').get('synonyms'): name = synonym.strip().lower() - counter[name]+=1 + counter[name] += 1 namespace.append([name, djson.get('name')]) except (AttributeError, TypeError): pass counter = dict(counter) for key, val in counter.items(): - if val>1: - print ("Warning duplicate %s" % key) + if val > 1: + print("Warning duplicate %s" % key) for item in namespace: - if item[0]==key: - print (item) + if item[0] == key: + print(item) diff --git a/tools/chk_empty_strings.py b/tools/chk_empty_strings.py new file mode 100755 index 00000000..1ccac243 --- /dev/null +++ b/tools/chk_empty_strings.py @@ -0,0 +1,24 @@ +#!/usr/bin/env python3 +# coding=utf-8 +""" + Tools to find empty string entries in galaxies +""" +from .chk_dup import loadjsons +import sys + + +if __name__ == '__main__': + jsons = loadjsons("clusters", return_paths=True) + retval = 0 + for clustername, djson in jsons: + items = djson.get('values') + for entry in items: + name = entry.get('value') + for key, value in entry.get('meta', {}).items(): + if isinstance(value, list): + if '' in value: + retval = 1 + print("Empty string found in Cluster %r: values/%s/meta/%s" + "" % (clustername, name, key), + file=sys.stderr) + sys.exit(retval) diff --git a/validate_all.sh b/validate_all.sh index 7d1a8423..f797c553 100755 --- a/validate_all.sh +++ b/validate_all.sh @@ -84,3 +84,6 @@ do fi echo '' done + +# check for empyt strings in clusters +python3 -m tools.chk_empty_strings