Merge branch 'master' of github.com:MISP/misp-galaxy

clusters/rat.json

@@ -7,7 +7,7 @@
   ],
   "description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.",
   "uuid": "312f8714-45cb-11e7-b898-135207cdceb9",
-  "version": 3,
+  "version": 4,
   "values": [
     {
       "meta": {
@@ -2125,6 +2125,15 @@
       "meta": {
         "date": "2013"
       }
+    },
+    {
+      "description": "On November 8, 2016 a non-disclosed entity in Laos was spear-phished by a group closely related to known Chinese adversaries and most likely affiliated with the Chinese government. The attackers utilized a new kind of Remote Access Trojan (RAT) that has not been previously observed or reported. The new RAT extends the capabilities of traditional RATs by providing complete remote execution of custom commands and programming. htpRAT, uncovered by RiskIQ cyber investigators, is the newest weapon in the Chinese adversary’s arsenal in a campaign against Association of Southeast Asian Nations (ASEAN). Most RATs can log keystrokes, take screenshots, record audio and video from a webcam or microphone, install and uninstall programs and manage files. They support a fixed set of commands operators can execute using different command IDs —’file download’ or ‘file upload,’ for example—and must be completely rebuilt to have different functionality. htpRAT, on the other hand, serves as a conduit for operators to do their job with greater precision and effect. On the Command and Control (C2) server side, threat actors can build new functionality in commands, which can be sent to the malware to execute. This capability makes htpRAT a small, agile, and incredibly dynamic piece of malware. Operators can change functionality, such as searching for a different file on the victim’s network, simply by wrapping commands. ",
+      "value": "htpRAT",
+      "meta": {
+        "refs": [
+          "https://cdn.riskiq.com/wp-content/uploads/2017/10/RiskIQ-htpRAT-Malware-Attacks.pdf?_ga=2.159415805.1155855406.1509033001-1017609577.1507615928"
+        ]
+      }
     }
   ]
 }

clusters/tool.json

@@ -10,7 +10,7 @@
   ],
   "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
   "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
-  "version": 34,
+  "version": 35,
   "values": [
     {
       "meta": {
@@ -2992,6 +2992,25 @@
           "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/"
         ]
       }
+    },
+    {
+      "value": "FormBook",
+      "description": "FormBook is a data stealer and form grabber that has been advertised in various hacking forums since early 2016.",
+      "meta": {
+        "refs": [
+          "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html",
+          "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/"
+        ]
+      }
+    },
+    {
+      "value": "Dimnie",
+      "description": "Dimnie, the commonly agreed upon name for the binary dropped by the PowerShell script above, has been around for several years. Palo Alto Networks has observed samples dating back to early 2014 with identical command and control mechanisms. The malware family serves as a downloader and has a modular design encompassing various information stealing functionalities. Each module is injected into the memory of core Windows processes, further complicating analysis. During its lifespan, it appears to have undergone few changes and its stealthy command and control methods combined with a previously Russian focused target base has allowed it to fly under the radar up until this most recent campaign.",
+      "meta": {
+        "refs": [
+          "https://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/"
+        ]
+      }
     }
   ]
 }

vocabularies/common/ttp-category.json

@@ -1,37 +1,47 @@
 {
   "values": [
     {
+      "description": "Cover vulnerabilities exploit (0day, 1day, nday), exploit kit",
       "value": "Exploits"
     },
     {
+      "description": "Deep-Dark Web forum, marketplace, hosting, etc",
       "value": "Infrastructure"
     },
     {
+      "description": "Malware family",
       "value": "Malware"
     },
     {
+      "description": "Legitimate SW or HW repurposed for malicious use",
       "value": "Tools"
     },
     {
+      "description": "Does not belong to any of the other category",
       "value": "Other"
     },
     {
+      "description": "Undetermined category",
       "value": "Unknown"
     },
     {
+      "description": "Specific attack patterns (specific to a technology, to an author, not widely used, etc)",
       "value": "Attack Patterns (S)"
     },
     {
+      "description": "Generic attack pattern, mehod, technique",
       "value": "Attack Patterns (G)"
     },
     {
+      "description": "Non-technical description of threat actor activities (information war, destruction, hybrid, etc)",
       "value": "Tactic"
     },
     {
+      "description": "Asset being targeted (MacOS, Android, ICS, IoT, Cryptocurrency, ect)",
       "value": "Targeting"
     }
   ],
-  "version" : 1,
+  "version" : 2,
   "description": "ttp category vocab as defined by Cert EU.",
   "source": "Cert EU",
   "author": ["Cert EU"],