diff --git a/clusters/tool.json b/clusters/tool.json index bbed472..ea299cc 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1,28 +1,19 @@ { - "name": "Tool", - "type": "tool", - "source": "MISP Project", - "authors": [ - "Alexandre Dulaunoy", - "Florian Roth", - "Timo Steffens", - "Christophe Vandeplas", - "Dennis Rand" - ], - "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", + "name": "Tool", + "source": "MISP Project", "version": 70, "values": [ { "meta": { - "type": [ - "Banking" - ], "synonyms": [ "Hunter", "Zusy", "TinyBanker" ], + "type": [ + "Banking" + ], "refs": [ "https://thehackernews.com/search/label/Zusy%20Malware", "http://blog.trendmicro.com/trendlabs-security-intelligence/the-tinbatinybanker-malware/" @@ -34,9 +25,6 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "synonyms": [ "Backdoor.FSZO-5117", "Trojan.Heur.JP.juW@ayZZvMb", @@ -44,6 +32,9 @@ "Korplug", "Agent.dhwf" ], + "type": [ + "Backdoor" + ], "refs": [ "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx" ] @@ -54,11 +45,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx" + ], + "type": [ + "Backdoor" ] }, "description": " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", @@ -67,11 +58,11 @@ }, { "meta": { - "type": [ - "HackTool" - ], "refs": [ "https://github.com/AlessandroZ/LaZagne" + ], + "type": [ + "HackTool" ] }, "description": "A password sthealing tool regularly used by attackers", @@ -80,13 +71,13 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "synonyms": [ "Backdoor.Win32.PoisonIvy", "Gen:Trojan.Heur.PT" ], + "type": [ + "Backdoor" + ], "refs": [ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", "https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml" @@ -98,11 +89,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" + ], + "type": [ + "Backdoor" ] }, "description": "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.", @@ -111,45 +102,45 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "synonyms": [ "Anchor Panda" ], + "type": [ + "Backdoor" + ], "refs": [ "https://www.crowdstrike.com/blog/whois-anchor-panda/" ] }, - "value": "Torn RAT", - "uuid": "32a67552-3b31-47bb-8098-078099bbc813" + "uuid": "32a67552-3b31-47bb-8098-078099bbc813", + "value": "Torn RAT" }, { "meta": { - "type": [ - "Backdoor" - ], "synonyms": [ "Ozone RAT", "ozonercp" ], + "type": [ + "Backdoor" + ], "refs": [ "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat" ] }, - "value": "OzoneRAT", - "uuid": "e3010d81-94e2-43a9-98ed-61925b02be6e" + "uuid": "e3010d81-94e2-43a9-98ed-61925b02be6e", + "value": "OzoneRAT" }, { "meta": { - "type": [ - "Backdoor" - ], "synonyms": [ "BackDoor-FBZT!52D84425CDF2", "Trojan.Win32.Staser.ytq", "Win32/Zegost.BW" ], + "type": [ + "Backdoor" + ], "refs": [ "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3aWin32%2fZegost.BW" ] @@ -160,13 +151,13 @@ }, { "meta": { + "synonyms": [ + "Elise" + ], "type": [ "dropper", "PWS" ], - "synonyms": [ - "Elise" - ], "refs": [ "http://thehackernews.com/2015/08/elise-malware-hacking.html" ] @@ -177,13 +168,13 @@ }, { "meta": { + "synonyms": [ + "Laziok" + ], "type": [ "PWS", "reco" ], - "synonyms": [ - "Laziok" - ], "refs": [ "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector" ] @@ -194,16 +185,16 @@ }, { "meta": { - "type": [ - "Spyware", - "AndroidOS" - ], "synonyms": [ "GM-Bot", "SlemBunk", "Bankosy", "Acecard" ], + "type": [ + "Spyware", + "AndroidOS" + ], "refs": [ "https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/" ] @@ -214,11 +205,6 @@ }, { "meta": { - "type": [ - "Dropper", - "Miner", - "Spyware" - ], "synonyms": [ "PWOLauncher", "PWOHTTPD", @@ -227,6 +213,11 @@ "PWOPyExec", "PWOQuery" ], + "type": [ + "Dropper", + "Miner", + "Spyware" + ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/" ] @@ -237,12 +228,12 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/" ], + "type": [ + "Backdoor" + ], "synonyms": [ "LostDoor RAT", "BKDR_LODORAT" @@ -254,30 +245,30 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf", "https://github.com/kevthehermit/RATDecoders/blob/master/yaraRules/njRat.yar" ], + "type": [ + "Backdoor" + ], "synonyms": [ "Bladabindi", "Jorik" ] }, - "value": "njRAT", - "uuid": "a860d257-4a39-47ec-9230-94cac67ebf7e" + "uuid": "a860d257-4a39-47ec-9230-94cac67ebf7e", + "value": "njRAT" }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter", "https://nanocore.io/" ], + "type": [ + "Backdoor" + ], "synonyms": [ "NanoCore", "Nancrat", @@ -285,61 +276,61 @@ "Atros2.CKPN" ] }, - "value": "NanoCoreRAT", - "uuid": "a8111fb7-d4c4-4671-a6f9-f62fea8bad60" + "uuid": "a8111fb7-d4c4-4671-a6f9-f62fea8bad60", + "value": "NanoCoreRAT" }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://www.secureworks.com/research/sakula-malware-family" ], + "type": [ + "Backdoor" + ], "synonyms": [ "Sakurel" ] }, - "value": "Sakula", - "uuid": "f6c137f0-979c-4ce2-a0e5-2a080a5a1746" + "uuid": "f6c137f0-979c-4ce2-a0e5-2a080a5a1746", + "value": "Sakula" }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html" + ], + "type": [ + "Backdoor" ] }, - "value": "Hi-ZOR", - "uuid": "e8fbb7b4-2f27-4028-975a-485d4c2dd977" + "uuid": "e8fbb7b4-2f27-4028-975a-485d4c2dd977", + "value": "Hi-ZOR" }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", "https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf" ], + "type": [ + "Backdoor" + ], "synonyms": [ "TROJ_DLLSERV.BE" ] }, - "value": "Derusbi", - "uuid": "eff68b97-f36e-4827-ab1a-90523c16774c" + "uuid": "eff68b97-f36e-4827-ab1a-90523c16774c", + "value": "Derusbi" }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/evilgrab-malware-family-used-in-targeted-attacks-in-asia/", "http://researchcenter.paloaltonetworks.com/2015/06/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/" ], + "type": [ + "Backdoor" + ], "synonyms": [ "BKDR_HGDER", "BKDR_EVILOGE", @@ -347,18 +338,18 @@ "Wmonder" ] }, - "value": "EvilGrab", - "uuid": "c9b4ec27-0a43-4671-a967-bcac5df0e056" + "uuid": "c9b4ec27-0a43-4671-a967-bcac5df0e056", + "value": "EvilGrab" }, { "meta": { - "type": [ - "Dropper" - ], "refs": [ "https://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid", "http://telussecuritylabs.com/threats/show/TSL20120614-05" ], + "type": [ + "Dropper" + ], "synonyms": [ "Naid", "Mdmbot.E", @@ -369,18 +360,18 @@ "AGENT.ABQMR" ] }, - "value": "Trojan.Naid", - "uuid": "170db76b-93f7-4fd1-97fc-55937c079b66" + "uuid": "170db76b-93f7-4fd1-97fc-55937c079b66", + "value": "Trojan.Naid" }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "http://www.darkreading.com/attacks-breaches/elite-chinese-cyberspy-group-behind-bit9-hack/d/d-id/1140495", "https://securityledger.com/2013/09/apt-for-hire-symantec-outs-hidden-lynx-hacking-crew/" ], + "type": [ + "Backdoor" + ], "synonyms": [ "SCAR", "KillProc.14145" @@ -392,12 +383,12 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/" ], + "type": [ + "Backdoor" + ], "synonyms": [ "TravNet", "Netfile" @@ -409,13 +400,13 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/", "https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf" ], + "type": [ + "Backdoor" + ], "synonyms": [ "Etso", "SUQ", @@ -428,13 +419,13 @@ }, { "meta": { - "type": [ - "HackTool" - ], "refs": [ "https://github.com/gentilkiwi/mimikatz", "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/" ], + "type": [ + "HackTool" + ], "synonyms": [ "Mikatz" ] @@ -445,12 +436,12 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/gnaegle/cse4990-practical3", "https://www.securestate.com/blog/2013/02/20/apt-if-it-aint-broke" + ], + "type": [ + "Backdoor" ] }, "description": "Backdoor attribued to APT1", @@ -459,12 +450,12 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" ], + "type": [ + "Backdoor" + ], "synonyms": [ "Badey", "EXL" @@ -476,11 +467,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/" + ], + "type": [ + "Backdoor" ] }, "description": "RARSTONE is a Remote Access Tool (RAT) discovered early 2013 by TrendMicro, it’s characterized by a great affinity with the other RAT know as Plug is and was used in April for phishing campaigns that followed the dramatic attack to the Boston Marathon.", @@ -489,13 +480,13 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://www2.fireeye.com/WEB-2015RPTAPT30.html", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf" ], + "type": [ + "Backdoor" + ], "synonyms": [ "Lecna" ] @@ -506,12 +497,12 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://kasperskycontenthub.com/securelist/files/2015/05/TheNaikonAPT-MsnMM.pdf" + ], + "type": [ + "Backdoor" ] }, "description": "Backdoor user by he Naikon APT group", @@ -520,13 +511,13 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "synonyms": [ "scout", "norton" ], + "type": [ + "Backdoor" + ], "refs": [ "https://attack.mitre.org/wiki/Software/S0034", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" @@ -538,12 +529,12 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://blog.gdatasoftware.com/2015/01/23927-evolution-of-sophisticated-spyware-from-agent-btz-to-comrat" ], + "type": [ + "Backdoor" + ], "synonyms": [ "ComRat" ] @@ -558,18 +549,18 @@ "uuid": "b1b7e7d8-3778-4783-9cc7-9ec04b146031" }, { - "value": "Agent.dne", - "uuid": "93fe1644-a7a6-4e5a-bc3b-88984b251fde" + "uuid": "93fe1644-a7a6-4e5a-bc3b-88984b251fde", + "value": "Agent.dne" }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" ], + "type": [ + "Backdoor" + ], "synonyms": [ "Tavdig", "Epic Turla", @@ -583,14 +574,14 @@ }, { "meta": { - "type": [ - "Backdoor", - "Rootkit" - ], "refs": [ "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf", "https://objective-see.com/blog/blog_0x25.html#Snake" ], + "type": [ + "Backdoor", + "Rootkit" + ], "synonyms": [ "Snake", "Uroburos", @@ -602,8 +593,8 @@ "uuid": "22332d52-c0c2-443c-9ffb-f08c0d23722c" }, { - "value": "Winexe", - "uuid": "811bdec0-e236-48ae-b27c-1a8fe0bfc3a9" + "uuid": "811bdec0-e236-48ae-b27c-1a8fe0bfc3a9", + "value": "Winexe" }, { "description": "RAT initialy identified in 2011 and still actively used.", @@ -616,8 +607,8 @@ "WinSpy" ] }, - "value": "Cadelspy", - "uuid": "38d6a0a1-0388-40d4-b8f4-1d58eeb9a07d" + "uuid": "38d6a0a1-0388-40d4-b8f4-1d58eeb9a07d", + "value": "Cadelspy" }, { "meta": { @@ -625,8 +616,8 @@ "http://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" ] }, - "value": "CMStar", - "uuid": "e81b96a2-22e9-445e-88c7-65b67c2299ec" + "uuid": "e81b96a2-22e9-445e-88c7-65b67c2299ec", + "value": "CMStar" }, { "meta": { @@ -637,8 +628,8 @@ "iRAT" ] }, - "value": "DHS2015", - "uuid": "d6420953-0e85-4330-abc2-3a8b9dda046b" + "uuid": "d6420953-0e85-4330-abc2-3a8b9dda046b", + "value": "DHS2015" }, { "meta": { @@ -676,8 +667,8 @@ "BKDR_HUPIGON" ] }, - "value": "MFC Huner", - "uuid": "a5a48311-afbf-44c4-8045-46ffd51cd4d0" + "uuid": "a5a48311-afbf-44c4-8045-46ffd51cd4d0", + "value": "MFC Huner" }, { "meta": { @@ -692,18 +683,18 @@ }, { "meta": { - "type": [ - "Backdoor" - ], - "possible_issues": "Report tells that is could be Xagent alias (Java Rat)", "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" ], + "type": [ + "Backdoor" + ], "synonyms": [ "webhp", "SPLM", "(.v2 fysbis)" - ] + ], + "possible_issues": "Report tells that is could be Xagent alias (Java Rat)" }, "description": "backdoor used by apt28 ", "value": "CHOPSTICK", @@ -711,19 +702,19 @@ }, { "meta": { - "type": [ - "Backdoor" - ], - "possible_issues": "Report tells that is could be Xagent alias (Java Rat)", "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" ], + "type": [ + "Backdoor" + ], "synonyms": [ "Sedreco", "AZZY", "ADVSTORESHELL", "NETUI" - ] + ], + "possible_issues": "Report tells that is could be Xagent alias (Java Rat)" }, "description": "backdoor used by apt28\n\nSedreco serves as a spying backdoor; its functionalities can be extended with dynamically loaded plugins. It is made up of two distinct components: a dropper and the persistent payload installed by this dropper. We have not seen this component since April 2016.", "value": "EVILTOSS", @@ -731,12 +722,12 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" ], + "type": [ + "Backdoor" + ], "synonyms": [ "Sednit", "Seduploader", @@ -763,13 +754,13 @@ }, { "meta": { - "type": [ - "PWS" - ], "refs": [ "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_sasfis.tl", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" ], + "type": [ + "PWS" + ], "synonyms": [ "Sasfis", "BackDoor-FDU", @@ -799,8 +790,8 @@ "Havex" ] }, - "value": "Havex RAT", - "uuid": "d7183f66-59ec-4803-be20-237b442259fc" + "uuid": "d7183f66-59ec-4803-be20-237b442259fc", + "value": "Havex RAT" }, { "meta": { @@ -813,44 +804,44 @@ "uuid": "b3f7a454-3b23-4149-99aa-0132323814d0" }, { - "value": "TinyTyphon", - "uuid": "1b591586-e1ef-4a32-8dae-791aca5ddf41" + "uuid": "1b591586-e1ef-4a32-8dae-791aca5ddf41", + "value": "TinyTyphon" }, { - "value": "Badnews", - "uuid": "48ca79ff-ea36-4a47-8231-0f7f0db0e09e" + "uuid": "48ca79ff-ea36-4a47-8231-0f7f0db0e09e", + "value": "Badnews" }, { - "value": "LURK", - "uuid": "fcece2f7-e0ef-44e0-aa9f-578c2a56f532" + "uuid": "fcece2f7-e0ef-44e0-aa9f-578c2a56f532", + "value": "LURK" }, { - "value": "Oldrea", - "uuid": "f2e17736-9575-4a91-92ab-bb82bb0bf900" + "uuid": "f2e17736-9575-4a91-92ab-bb82bb0bf900", + "value": "Oldrea" }, { - "value": "AmmyAdmin", - "uuid": "d1006b04-3015-49ea-9414-a968a0f74106" + "uuid": "d1006b04-3015-49ea-9414-a968a0f74106", + "value": "AmmyAdmin" }, { - "value": "Matryoshka", - "uuid": "cb6c49ab-b9ac-459f-b765-05cbe2e63b0d" + "uuid": "cb6c49ab-b9ac-459f-b765-05cbe2e63b0d", + "value": "Matryoshka" }, { - "value": "TinyZBot", - "uuid": "e2cc27a2-4146-4f08-8e80-114a99204cea" + "uuid": "e2cc27a2-4146-4f08-8e80-114a99204cea", + "value": "TinyZBot" }, { - "value": "GHOLE", - "uuid": "43a0d8a7-558d-4104-8a24-55e6e7a503db" + "uuid": "43a0d8a7-558d-4104-8a24-55e6e7a503db", + "value": "GHOLE" }, { - "value": "CWoolger", - "uuid": "005b46a2-9498-473a-bee2-0db91e5fb327" + "uuid": "005b46a2-9498-473a-bee2-0db91e5fb327", + "value": "CWoolger" }, { - "value": "FireMalv", - "uuid": "6ef11b6e-d81a-465b-9dce-fab5c6fe807b" + "uuid": "6ef11b6e-d81a-465b-9dce-fab5c6fe807b", + "value": "FireMalv" }, { "meta": { @@ -867,72 +858,72 @@ "uuid": "0cf21558-1217-4d36-9536-2919cfd44825" }, { - "value": "Duqu", - "uuid": "809b54c3-dd6a-4ec9-8c3a-a27b9baa6732" + "uuid": "809b54c3-dd6a-4ec9-8c3a-a27b9baa6732", + "value": "Duqu" }, { - "value": "Flame", - "uuid": "d7963066-62ed-4494-9b8c-4b8b691a7c82" + "uuid": "d7963066-62ed-4494-9b8c-4b8b691a7c82", + "value": "Flame" }, { - "value": "Stuxnet", - "uuid": "1b63293f-13f0-4c25-9bf6-6ebc023fc8ff" + "uuid": "1b63293f-13f0-4c25-9bf6-6ebc023fc8ff", + "value": "Stuxnet" }, { - "value": "EquationLaser", - "uuid": "21f7a57b-7778-4b3e-9b50-5289ae3b445d" + "uuid": "21f7a57b-7778-4b3e-9b50-5289ae3b445d", + "value": "EquationLaser" }, { - "value": "EquationDrug", - "uuid": "3e0c2d35-87cb-40f9-b341-a6c8dbec697e" + "uuid": "3e0c2d35-87cb-40f9-b341-a6c8dbec697e", + "value": "EquationDrug" }, { - "value": "DoubleFantasy", - "uuid": "fb8828a4-76de-467d-9f52-528984aa9b8d" + "uuid": "fb8828a4-76de-467d-9f52-528984aa9b8d", + "value": "DoubleFantasy" }, { - "value": "TripleFantasy", - "uuid": "a4cebcc4-9e9b-415f-aa05-dd71c4e288fe" + "uuid": "a4cebcc4-9e9b-415f-aa05-dd71c4e288fe", + "value": "TripleFantasy" }, { - "value": "Fanny", - "uuid": "1e25d254-3f03-4752-b8d6-023a23e7d4ae" + "uuid": "1e25d254-3f03-4752-b8d6-023a23e7d4ae", + "value": "Fanny" }, { - "value": "GrayFish", - "uuid": "2407bd9a-a3a4-40c4-86de-be6965243c67" + "uuid": "2407bd9a-a3a4-40c4-86de-be6965243c67", + "value": "GrayFish" }, { - "value": "Babar", - "uuid": "57b221bc-7ed6-4080-bc66-813d17009485" + "uuid": "57b221bc-7ed6-4080-bc66-813d17009485", + "value": "Babar" }, { - "value": "Bunny", - "uuid": "5589c428-792b-4439-b0db-07862765d96b" + "uuid": "5589c428-792b-4439-b0db-07862765d96b", + "value": "Bunny" }, { - "value": "Casper", - "uuid": "63b3e6fb-9bb8-43dc-9cbf-7681b049b5d6" + "uuid": "63b3e6fb-9bb8-43dc-9cbf-7681b049b5d6", + "value": "Casper" }, { - "value": "NBot", - "uuid": "97fa32d6-5d1d-43df-b765-4a0e31d7f179" + "uuid": "97fa32d6-5d1d-43df-b765-4a0e31d7f179", + "value": "NBot" }, { - "value": "Tafacalou", - "uuid": "835943ed-75d7-4225-9075-a8e2b2136fad" + "uuid": "835943ed-75d7-4225-9075-a8e2b2136fad", + "value": "Tafacalou" }, { - "value": "Tdrop", - "uuid": "4d81c146-56e1-45d2-b0e4-75d0acec8102" + "uuid": "4d81c146-56e1-45d2-b0e4-75d0acec8102", + "value": "Tdrop" }, { - "value": "Troy", - "uuid": "9825aa1f-6414-4f26-8487-605dd6c718d1" + "uuid": "9825aa1f-6414-4f26-8487-605dd6c718d1", + "value": "Troy" }, { - "value": "Tdrop2", - "uuid": "aff99aad-5231-4f14-8e68-67e87fb13b5c" + "uuid": "aff99aad-5231-4f14-8e68-67e87fb13b5c", + "value": "Tdrop2" }, { "meta": { @@ -943,8 +934,8 @@ "Sensode" ] }, - "value": "ZXShell", - "uuid": "5b9dc67e-bae4-44f3-b58d-6d842a744104" + "uuid": "5b9dc67e-bae4-44f3-b58d-6d842a744104", + "value": "ZXShell" }, { "meta": { @@ -952,8 +943,8 @@ "http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/" ] }, - "value": "T9000", - "uuid": "66575fb4-7f92-42d8-8c47-e68a26413081" + "uuid": "66575fb4-7f92-42d8-8c47-e68a26413081", + "value": "T9000" }, { "meta": { @@ -964,8 +955,8 @@ "Plat1" ] }, - "value": "T5000", - "uuid": "e957f773-f6d2-410f-8163-5f0c17a7bde2" + "uuid": "e957f773-f6d2-410f-8163-5f0c17a7bde2", + "value": "T5000" }, { "meta": { @@ -973,8 +964,8 @@ "http://www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks" ] }, - "value": "Taidoor", - "uuid": "cda7d605-23d0-4f93-a585-1276f094c04a" + "uuid": "cda7d605-23d0-4f93-a585-1276f094c04a", + "value": "Taidoor" }, { "meta": { @@ -982,8 +973,8 @@ "http://labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/" ] }, - "value": "Swisyn", - "uuid": "1688dc7a-0ef9-49a9-a467-5231a5552b41" + "uuid": "1688dc7a-0ef9-49a9-a467-5231a5552b41", + "value": "Swisyn" }, { "meta": { @@ -991,12 +982,12 @@ "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" ] }, - "value": "Rekaf", - "uuid": "cfe948c6-b8a6-437a-9d82-d81660e0287b" + "uuid": "cfe948c6-b8a6-437a-9d82-d81660e0287b", + "value": "Rekaf" }, { - "value": "Scieron", - "uuid": "267bf78e-f430-47b6-8ba0-1ae31698c711" + "uuid": "267bf78e-f430-47b6-8ba0-1ae31698c711", + "value": "Scieron" }, { "meta": { @@ -1004,8 +995,8 @@ "http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/" ] }, - "value": "SkeletonKey", - "uuid": "7709fedd-5083-4b54-bcd8-af3f76f6d171" + "uuid": "7709fedd-5083-4b54-bcd8-af3f76f6d171", + "value": "SkeletonKey" }, { "meta": { @@ -1013,8 +1004,8 @@ "http://labs.alienvault.com/labs/index.php/2011/another-sykipot-sample-likely-targeting-us-federal-agencies/" ] }, - "value": "Skyipot", - "uuid": "72e2b7b5-2718-4942-9ca2-17fa6730261f" + "uuid": "72e2b7b5-2718-4942-9ca2-17fa6730261f", + "value": "Skyipot" }, { "meta": { @@ -1022,16 +1013,16 @@ "http://www.threatconnect.com/news/threatconnect-enables-healthy-networking-biomed-life-sciences-industry/" ] }, - "value": "Spindest", - "uuid": "447735ac-82e4-4c97-b048-56b7e47203ef" + "uuid": "447735ac-82e4-4c97-b048-56b7e47203ef", + "value": "Spindest" }, { - "value": "Preshin", - "uuid": "d87326a3-fb94-448c-9615-8ec036c1df3a" + "uuid": "d87326a3-fb94-448c-9615-8ec036c1df3a", + "value": "Preshin" }, { - "value": "Oficla", - "uuid": "b3ea33fd-eaa0-4bab-9bd0-12534c9aa987" + "uuid": "b3ea33fd-eaa0-4bab-9bd0-12534c9aa987", + "value": "Oficla" }, { "meta": { @@ -1039,12 +1030,12 @@ "http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt-group-nitro-uncovered/" ] }, - "value": "PCClient RAT", - "uuid": "f68d2200-cb9d-42de-9e5e-be2a8f674c5e" + "uuid": "f68d2200-cb9d-42de-9e5e-be2a8f674c5e", + "value": "PCClient RAT" }, { - "value": "Plexor", - "uuid": "8fb00a59-0dec-4d7f-bd53-9826b3929f39" + "uuid": "8fb00a59-0dec-4d7f-bd53-9826b3929f39", + "value": "Plexor" }, { "meta": { @@ -1052,8 +1043,8 @@ "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" ] }, - "value": "Mongall", - "uuid": "aa3aa21f-bc4e-4fb6-acd2-f4b6de482dfe" + "uuid": "aa3aa21f-bc4e-4fb6-acd2-f4b6de482dfe", + "value": "Mongall" }, { "meta": { @@ -1061,8 +1052,8 @@ "http://www.clearskysec.com/dustysky/" ] }, - "value": "NeD Worm", - "uuid": "eedcf785-d011-4e17-96c4-6ff39138ada0" + "uuid": "eedcf785-d011-4e17-96c4-6ff39138ada0", + "value": "NeD Worm" }, { "meta": { @@ -1070,8 +1061,8 @@ "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" ] }, - "value": "NewCT", - "uuid": "c5e3766c-9527-47c3-94db-f10de2c56248" + "uuid": "c5e3766c-9527-47c3-94db-f10de2c56248", + "value": "NewCT" }, { "meta": { @@ -1079,8 +1070,8 @@ "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" ] }, - "value": "Nflog", - "uuid": "b2ec2dca-5d49-4efa-9a9e-75126346d1ed" + "uuid": "b2ec2dca-5d49-4efa-9a9e-75126346d1ed", + "value": "Nflog" }, { "meta": { @@ -1088,8 +1079,8 @@ "http://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/" ] }, - "value": "Janicab", - "uuid": "c3c20c4b-e12a-42e5-960a-eea4644014f4" + "uuid": "c3c20c4b-e12a-42e5-960a-eea4644014f4", + "value": "Janicab" }, { "meta": { @@ -1100,8 +1091,8 @@ "Jiripbot" ] }, - "value": "Jripbot", - "uuid": "05e2ccec-7050-47cf-b925-50907f57c639" + "uuid": "05e2ccec-7050-47cf-b925-50907f57c639", + "value": "Jripbot" }, { "meta": { @@ -1109,8 +1100,8 @@ "http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html" ] }, - "value": "Jolob", - "uuid": "4d4528ff-6260-4b5d-b2ea-6e11ca02c396" + "uuid": "4d4528ff-6260-4b5d-b2ea-6e11ca02c396", + "value": "Jolob" }, { "meta": { @@ -1118,11 +1109,10 @@ "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" ] }, - "value": "IsSpace", - "uuid": "b9707a57-d15f-4937-b022-52cc17f6783f" + "uuid": "b9707a57-d15f-4937-b022-52cc17f6783f", + "value": "IsSpace" }, { - "value": "Emotet", "meta": { "refs": [ "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/" @@ -1131,7 +1121,8 @@ "Geodo" ] }, - "uuid": "3f7616bd-f1de-46ee-87c2-43c0c2edaa28" + "uuid": "3f7616bd-f1de-46ee-87c2-43c0c2edaa28", + "value": "Emotet" }, { "meta": { @@ -1144,8 +1135,8 @@ "https://github.com/nccgroup/Royal_APT" ] }, - "value": "Hoardy", - "uuid": "25cd01bc-1346-4415-8f8d-d3656309ef6b" + "uuid": "25cd01bc-1346-4415-8f8d-d3656309ef6b", + "value": "Hoardy" }, { "meta": { @@ -1153,8 +1144,8 @@ "http://www.secureworks.com/research/threats/htran/" ] }, - "value": "Htran", - "uuid": "f3bfe513-2a65-49b5-9d64-a66541dce697" + "uuid": "f3bfe513-2a65-49b5-9d64-a66541dce697", + "value": "Htran" }, { "meta": { @@ -1165,16 +1156,16 @@ "TokenControl" ] }, - "value": "HTTPBrowser", - "uuid": "08e2c9ef-aa62-429f-a6e5-e901ff6883cd" + "uuid": "08e2c9ef-aa62-429f-a6e5-e901ff6883cd", + "value": "HTTPBrowser" }, { - "value": "Disgufa", - "uuid": "3a57bb24-b493-4698-bf46-6465c6cf5446" + "uuid": "3a57bb24-b493-4698-bf46-6465c6cf5446", + "value": "Disgufa" }, { - "value": "Elirks", - "uuid": "c0ea7b89-d246-4eb7-8de4-b4e17e135051" + "uuid": "c0ea7b89-d246-4eb7-8de4-b4e17e135051", + "value": "Elirks" }, { "meta": { @@ -1185,8 +1176,8 @@ "Ursnif" ] }, - "value": "Snifula", - "uuid": "75b01a1e-3269-4f4c-bdba-37af4e9c3f54" + "uuid": "75b01a1e-3269-4f4c-bdba-37af4e9c3f54", + "value": "Snifula" }, { "meta": { @@ -1199,8 +1190,8 @@ "Graftor" ] }, - "value": "Aumlib", - "uuid": "f3ac3d86-0fa2-4049-bfbc-1970004b8d32" + "uuid": "f3ac3d86-0fa2-4049-bfbc-1970004b8d32", + "value": "Aumlib" }, { "meta": { @@ -1208,8 +1199,8 @@ "http://www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html" ] }, - "value": "CTRat", - "uuid": "f78cfa32-a629-421e-94f7-1e696bba2892" + "uuid": "f78cfa32-a629-421e-94f7-1e696bba2892", + "value": "CTRat" }, { "meta": { @@ -1220,8 +1211,8 @@ "Newsripper" ] }, - "value": "Emdivi", - "uuid": "a8395aae-1496-417d-98ee-3ecbcd9a94a0" + "uuid": "a8395aae-1496-417d-98ee-3ecbcd9a94a0", + "value": "Emdivi" }, { "meta": { @@ -1234,8 +1225,8 @@ "RIPTIDE" ] }, - "value": "Etumbot", - "uuid": "91583583-95c0-444e-8175-483cbebc640b" + "uuid": "91583583-95c0-444e-8175-483cbebc640b", + "value": "Etumbot" }, { "meta": { @@ -1243,8 +1234,8 @@ "Loneagent" ] }, - "value": "Fexel", - "uuid": "ba992105-373e-484a-ac81-2464deba93b7" + "uuid": "ba992105-373e-484a-ac81-2464deba93b7", + "value": "Fexel" }, { "meta": { @@ -1252,8 +1243,8 @@ "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" ] }, - "value": "Fysbis", - "uuid": "bb929d1d-de95-4c3d-be79-55db3152dba1" + "uuid": "bb929d1d-de95-4c3d-be79-55db3152dba1", + "value": "Fysbis" }, { "meta": { @@ -1261,8 +1252,8 @@ "https://blog.bit9.com/2013/02/25/bit9-security-incident-update/" ] }, - "value": "Hikit", - "uuid": "06953055-92ed-4936-8ffd-d9d72ab6bef6" + "uuid": "06953055-92ed-4936-8ffd-d9d72ab6bef6", + "value": "Hikit" }, { "meta": { @@ -1275,8 +1266,8 @@ "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" ] }, - "value": "Hancitor", - "uuid": "ff0404a1-465f-4dd5-8b66-ee773628ca64" + "uuid": "ff0404a1-465f-4dd5-8b66-ee773628ca64", + "value": "Hancitor" }, { "meta": { @@ -1284,8 +1275,8 @@ "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" ] }, - "value": "Ruckguv", - "uuid": "d70bd6a8-5fd4-42e8-8e39-fb18daeccdb2" + "uuid": "d70bd6a8-5fd4-42e8-8e39-fb18daeccdb2", + "value": "Ruckguv" }, { "meta": { @@ -1293,8 +1284,8 @@ "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" ] }, - "value": "HerHer Trojan", - "uuid": "0798f8d2-1099-4122-8735-5a116264d3db" + "uuid": "0798f8d2-1099-4122-8735-5a116264d3db", + "value": "HerHer Trojan" }, { "meta": { @@ -1302,8 +1293,8 @@ "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" ] }, - "value": "Helminth backdoor", - "uuid": "7bc1110b-fdc5-4501-a19b-e86304da4eb9" + "uuid": "7bc1110b-fdc5-4501-a19b-e86304da4eb9", + "value": "Helminth backdoor" }, { "meta": { @@ -1311,8 +1302,8 @@ "http://williamshowalter.com/a-universal-windows-bootkit/" ] }, - "value": "HDRoot", - "uuid": "d2c1a439-585a-48bc-8176-c0c46dfac270" + "uuid": "d2c1a439-585a-48bc-8176-c0c46dfac270", + "value": "HDRoot" }, { "meta": { @@ -1320,8 +1311,8 @@ "https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html" ] }, - "value": "IRONGATE", - "uuid": "5514e486-6158-40d8-b258-047938b8ee20" + "uuid": "5514e486-6158-40d8-b258-047938b8ee20", + "value": "IRONGATE" }, { "meta": { @@ -1329,17 +1320,17 @@ "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" ] }, - "value": "ShimRAT", - "uuid": "487f26a5-8531-4ec6-bfa4-691834b156b8" + "uuid": "487f26a5-8531-4ec6-bfa4-691834b156b8", + "value": "ShimRAT" }, { "meta": { - "type": [ - "Backdoor" - ], "synonyms": [ "XAgent" ], + "type": [ + "Backdoor" + ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/", "https://app.box.com/s/l7n781ig6n8wlf1aff5hgwbh4qoi5jqq", @@ -1357,8 +1348,8 @@ "XTunnel" ] }, - "value": "X-Tunnel", - "uuid": "6d180bd7-3c77-4faf-b98b-dc2ab5f49101" + "uuid": "6d180bd7-3c77-4faf-b98b-dc2ab5f49101", + "value": "X-Tunnel" }, { "meta": { @@ -1366,8 +1357,8 @@ "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ] }, - "value": "Foozer", - "uuid": "e4137f66-be82-4da7-96e6-e37ab33ea34f" + "uuid": "e4137f66-be82-4da7-96e6-e37ab33ea34f", + "value": "Foozer" }, { "meta": { @@ -1375,8 +1366,8 @@ "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ] }, - "value": "WinIDS", - "uuid": "82875947-fafb-467a-82df-0d2e37111b97" + "uuid": "82875947-fafb-467a-82df-0d2e37111b97", + "value": "WinIDS" }, { "meta": { @@ -1384,8 +1375,8 @@ "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ] }, - "value": "DownRange", - "uuid": "56349213-b73e-4a30-8188-08de1a77b960" + "uuid": "56349213-b73e-4a30-8188-08de1a77b960", + "value": "DownRange" }, { "meta": { @@ -1393,16 +1384,16 @@ "https://www.arbornetworks.com/blog/asert/mad-max-dga/" ] }, - "value": "Mad Max", - "uuid": "d3d56dd0-3409-470a-958b-a865fdd158f9" + "uuid": "d3d56dd0-3409-470a-958b-a865fdd158f9", + "value": "Mad Max" }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" + ], + "type": [ + "Backdoor" ] }, "description": "Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims", @@ -1411,11 +1402,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" + ], + "type": [ + "Backdoor" ] }, "description": "Operation Groundbait based on our research into the Prikormka malware family. This includes detailed technical analysis of the Prikormka malware family and its spreading mechanisms, and a description of the most noteworthy attack campaigns.", @@ -1498,12 +1489,12 @@ "uuid": "ab4694d6-7043-41f2-b328-d93bec9c1b22" }, { - "value": "Bedep", - "uuid": "066f8ad3-0c99-43eb-990c-8fae2c232f62" + "uuid": "066f8ad3-0c99-43eb-990c-8fae2c232f62", + "value": "Bedep" }, { - "value": "Cromptui", - "uuid": "c4d80484-9486-4d5f-95f3-f40cc2de45ea" + "uuid": "c4d80484-9486-4d5f-95f3-f40cc2de45ea", + "value": "Cromptui" }, { "meta": { @@ -1519,12 +1510,12 @@ "uuid": "276c2c2e-09da-44cf-a3f7-806b3feb41da" }, { - "value": "Fareit", - "uuid": "652b5242-b790-4695-ad0e-b79bbf78f351" + "uuid": "652b5242-b790-4695-ad0e-b79bbf78f351", + "value": "Fareit" }, { - "value": "Gafgyt", - "uuid": "5fe338c6-723e-43ed-8165-43d95fa93689" + "uuid": "5fe338c6-723e-43ed-8165-43d95fa93689", + "value": "Gafgyt" }, { "meta": { @@ -1535,8 +1526,8 @@ "https://blog.gdatasoftware.com/2015/03/24274-the-andromeda-gamarue-botnet-is-on-the-rise-again" ] }, - "value": "Gamarue", - "uuid": "b9f00c61-6cd1-4112-a632-c8d3837a7ddd" + "uuid": "b9f00c61-6cd1-4112-a632-c8d3837a7ddd", + "value": "Gamarue" }, { "meta": { @@ -1550,8 +1541,8 @@ "uuid": "97d34770-44cc-4ecb-bdce-ba11581c0e2a" }, { - "value": "Palevo", - "uuid": "af0ea2b8-97ae-4ec1-a2c5-8f5dd0c9537b" + "uuid": "af0ea2b8-97ae-4ec1-a2c5-8f5dd0c9537b", + "value": "Palevo" }, { "meta": { @@ -1564,8 +1555,8 @@ "https://en.wikipedia.org/wiki/Akbot" ] }, - "value": "Akbot", - "uuid": "ac2ff27d-a7cb-46fe-ae32-cfe571dc614d" + "uuid": "ac2ff27d-a7cb-46fe-ae32-cfe571dc614d", + "value": "Akbot" }, { "description": "Upatre is a Trojan downloader that is used to set up other threats on the victim's PC. Upatre has been used recently in several high profile Trojan attacks involving the Gameover Trojan. ", @@ -1645,8 +1636,6 @@ "uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5" }, { - "value": "Masuta", - "description": "IoT malware based on Mirai but slightly improved.", "meta": { "refs": [ "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7" @@ -1655,11 +1644,13 @@ "PureMasuta" ] }, + "description": "IoT malware based on Mirai but slightly improved.", + "value": "Masuta", "uuid": "1d4dec2c-915a-4fef-ba7a-633421bd0848" }, { - "value": "BASHLITE", - "uuid": "55f8fb60-6339-4bc2-baa0-41e698e11f95" + "uuid": "55f8fb60-6339-4bc2-baa0-41e698e11f95", + "value": "BASHLITE" }, { "meta": { @@ -1685,12 +1676,12 @@ "uuid": "3449215f-2650-48bb-a4fb-6549654cbccc" }, { - "value": "Backdoor.Tinybaron", - "uuid": "2b6b35fb-2ed4-46ce-b603-62ca2b9b2812" + "uuid": "2b6b35fb-2ed4-46ce-b603-62ca2b9b2812", + "value": "Backdoor.Tinybaron" }, { - "value": "Incognito RAT", - "uuid": "307803df-6537-4e4d-a1c8-f219f278e564" + "uuid": "307803df-6537-4e4d-a1c8-f219f278e564", + "value": "Incognito RAT" }, { "meta": { @@ -1702,22 +1693,20 @@ "https://twitter.com/Timo_Steffens/status/814781584536719360" ] }, - "value": "DownRage", - "uuid": "ab5c4362-c369-4c78-985d-04ba1226ea32" + "uuid": "ab5c4362-c369-4c78-985d-04ba1226ea32", + "value": "DownRage" }, { - "value": "GeminiDuke", - "description": "GeminiDuke is malware that was used by APT29 from 2009 to 2012.", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0049" ] }, + "description": "GeminiDuke is malware that was used by APT29 from 2009 to 2012.", + "value": "GeminiDuke", "uuid": "6a28a648-30c0-4d1d-bd67-81a8dc6486ba" }, { - "value": "Zeus", - "description": "Trojan.Zbot, also called Zeus, is a Trojan horse that attempts to steal confidential information from the compromised computer. It may also download configuration files and updates from the Internet. The Trojan is created using a Trojan-building toolkit.", "meta": { "refs": [ "https://en.wikipedia.org/wiki/Zeus_(malware)", @@ -1728,11 +1717,11 @@ "Zbot" ] }, + "description": "Trojan.Zbot, also called Zeus, is a Trojan horse that attempts to steal confidential information from the compromised computer. It may also download configuration files and updates from the Internet. The Trojan is created using a Trojan-building toolkit.", + "value": "Zeus", "uuid": "0ce448de-c2bb-4c6e-9ad7-c4030f02b4d7" }, { - "value": "Shifu", - "description": "Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others.", "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/" @@ -1741,21 +1730,21 @@ "Shiz" ] }, + "description": "Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others.", + "value": "Shifu", "uuid": "67d712c8-d254-4820-83fa-9a892b87923b" }, { - "value": "Shiz", - "description": "The new variant of the Shiz Trojan malware targets mission-critical enterprise resource planning (ERP) applications — particularly SAP users. ", "meta": { "refs": [ "https://securityintelligence.com/tag/shiz-trojan-malware/" ] }, + "description": "The new variant of the Shiz Trojan malware targets mission-critical enterprise resource planning (ERP) applications — particularly SAP users. ", + "value": "Shiz", "uuid": "e6085ce0-af6d-41f7-8bcb-7f2eed246941" }, { - "value": "MM Core", - "description": "Also known as “BaneChant”, MM Core is a file-less APT which is executed in memory by a downloader component. It was first reported in 2013 under the version number “2.0-LNK” where it used the tag “BaneChant” in its command-and-control (C2) network request. A second version “2.1-LNK” with the network tag “StrangeLove” was discovered shortly after.", "meta": { "refs": [ "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" @@ -1768,16 +1757,18 @@ "StrangeLove" ] }, + "description": "Also known as “BaneChant”, MM Core is a file-less APT which is executed in memory by a downloader component. It was first reported in 2013 under the version number “2.0-LNK” where it used the tag “BaneChant” in its command-and-control (C2) network request. A second version “2.1-LNK” with the network tag “StrangeLove” was discovered shortly after.", + "value": "MM Core", "uuid": "74bd8c09-73d5-4ad8-ab1f-e94a4853c936" }, { - "value": "Shamoon", - "description": "Shamoon,[a] also known as Disttrack, is a modular computer virus discovered by Seculert[1] in 2012, targeting recent NT kernel-based versions of Microsoft Windows. The virus has been used for cyber espionage in the energy sector.[2][3][4] Its discovery was announced on 16 August 2012 by Symantec,[3] Kaspersky Lab,[5] and Seculert.[6] Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and the Flame malware.[5][6]", "meta": { "refs": [ "https://en.wikipedia.org/wiki/Shamoon" ] }, + "description": "Shamoon,[a] also known as Disttrack, is a modular computer virus discovered by Seculert[1] in 2012, targeting recent NT kernel-based versions of Microsoft Windows. The virus has been used for cyber espionage in the energy sector.[2][3][4] Its discovery was announced on 16 August 2012 by Symantec,[3] Kaspersky Lab,[5] and Seculert.[6] Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and the Flame malware.[5][6]", + "value": "Shamoon", "uuid": "776b1849-8d5b-4762-8ba1-cbbaddb4ce3a" }, { @@ -1848,11 +1839,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -1861,11 +1852,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -1874,11 +1865,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -1887,11 +1878,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -1900,11 +1891,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -1913,11 +1904,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -1926,11 +1917,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -1939,11 +1930,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -1952,11 +1943,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -1965,11 +1956,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -1978,11 +1969,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -1991,11 +1982,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2004,11 +1995,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2017,11 +2008,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2030,11 +2021,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2043,11 +2034,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2056,11 +2047,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2069,11 +2060,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2082,11 +2073,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2095,11 +2086,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2108,11 +2099,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2121,11 +2112,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2134,11 +2125,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2147,11 +2138,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2160,11 +2151,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2173,11 +2164,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2186,11 +2177,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2199,11 +2190,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2212,11 +2203,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2225,11 +2216,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2238,11 +2229,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2251,11 +2242,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2264,11 +2255,11 @@ }, { "meta": { - "type": [ - "Backdoor" - ], "refs": [ "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" ] }, "description": "Remote Access Trojan", @@ -2326,8 +2317,6 @@ "uuid": "76ec1827-68a1-488f-9899-2b788ea8db64" }, { - "description": "Chrysaor is spyware believed to be created by NSO Group Technologies, specializing in the creation and sale of software and infrastructure for targeted attacks. Chrysaor is believed to be related to the Pegasus spyware that was first identified on iOS and analyzed by Citizen Lab and Lookout.", - "value": "Chrysaor", "meta": { "refs": [ "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html" @@ -2337,6 +2326,8 @@ "Pegasus spyware" ] }, + "description": "Chrysaor is spyware believed to be created by NSO Group Technologies, specializing in the creation and sale of software and infrastructure for targeted attacks. Chrysaor is believed to be related to the Pegasus spyware that was first identified on iOS and analyzed by Citizen Lab and Lookout.", + "value": "Chrysaor", "uuid": "9d7c772b-43f1-49cf-bc70-7a7cd2ed34c8" }, { @@ -3064,48 +3055,46 @@ "uuid": "71d6e949-69df-4d64-9637-136780226f49" }, { - "value": "feodo", - "description": "Unfortunately, it is time to meet 'Feodo'. Since august of this year when FireEye's MPS devices detected this malware in the field, we have been monitoring this banking trojan very closely. In many ways, this malware looks similar to other famous banking trojans like Zbot and SpyEye. Although my analysis says that this malware is not a toolkit and is in the hands of a single criminal group.", "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2010/10/feodosoff-a-new-botnet-on-the-rise.html" ] }, + "description": "Unfortunately, it is time to meet 'Feodo'. Since august of this year when FireEye's MPS devices detected this malware in the field, we have been monitoring this banking trojan very closely. In many ways, this malware looks similar to other famous banking trojans like Zbot and SpyEye. Although my analysis says that this malware is not a toolkit and is in the hands of a single criminal group.", + "value": "feodo", "uuid": "372cdc12-d909-463c-877a-175f97f7abb5" }, { - "value": "Cardinal RAT", - "description": "Palo Alto Networks has discovered a previously unknown remote access Trojan (RAT) that has been active for over two years. It has a very low volume in this two-year period, totaling roughly 27 total samples. The malware is delivered via an innovative and unique technique: a downloader we are calling Carp uses malicious macros in Microsoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware family. These malicious Excel files use a number of different lures, providing evidence of what attackers are using to entice victims into executing them.", "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" ] }, + "description": "Palo Alto Networks has discovered a previously unknown remote access Trojan (RAT) that has been active for over two years. It has a very low volume in this two-year period, totaling roughly 27 total samples. The malware is delivered via an innovative and unique technique: a downloader we are calling Carp uses malicious macros in Microsoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware family. These malicious Excel files use a number of different lures, providing evidence of what attackers are using to entice victims into executing them.", + "value": "Cardinal RAT", "uuid": "1d9fbf33-faea-40c1-b543-c7b39561f0ff" }, { - "description": "The REDLEAVES implant consists of three parts: an executable, a loader, and the implant shellcode. The REDLEAVES implant is a remote administration Trojan (RAT) that is built in Visual C++ and makes heavy use of thread generation during its execution. The implant contains a number of functions typical of RATs, including system enumeration and creating a remote shell back to the C2.", - "value": "REDLEAVES", "meta": { "refs": [ "https://www.us-cert.gov/ncas/alerts/TA17-117A" ] }, + "description": "The REDLEAVES implant consists of three parts: an executable, a loader, and the implant shellcode. The REDLEAVES implant is a remote administration Trojan (RAT) that is built in Visual C++ and makes heavy use of thread generation during its execution. The implant contains a number of functions typical of RATs, including system enumeration and creating a remote shell back to the C2.", + "value": "REDLEAVES", "uuid": "179f7228-6fcf-4664-a084-57bd296d0cde" }, { - "description": "Kazuar is a fully featured backdoor written using the .NET Framework and obfuscated using the open source packer called ConfuserEx. Unit 42 researchers have uncovered a backdoor Trojan used in an espionage campaign. The developers refer to this tool by the name Kazuar, which is a Trojan written using the Microsoft .NET Framework that offers actors complete access to compromised systems targeted by its operator. Kazuar includes a highly functional command set, which includes the ability to remotely load additional plugins to increase the Trojan’s capabilities. During our analysis of this malware we uncovered interesting code paths and other artifacts that may indicate a Mac or Unix variant of this same tool also exists. Also, we discovered a unique feature within Kazuar: it exposes its capabilities through an Application Programming Interface (API) to a built-in webserver. We suspect the Kazuar tool may be linked to the Turla threat actor group (also known as Uroburos and Snake), who have been reported to have compromised embassies, defense contractors, educational institutions, and research organizations across the globe. A hallmark of Turla operations is iterations of their tools and code lineage in Kazuar can be traced back to at least 2005. If the hypothesis is correct and the Turla threat group is using Kazuar, we believe they may be using it as a replacement for Carbon and its derivatives. Of the myriad of tools observed in use by Turla Carbon and its variants were typically deployed as a second stage backdoor within targeted environments and we believe Kazuar may now hold a similar role for Turla operations.", - "value": "Kazuar", "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" ] }, + "description": "Kazuar is a fully featured backdoor written using the .NET Framework and obfuscated using the open source packer called ConfuserEx. Unit 42 researchers have uncovered a backdoor Trojan used in an espionage campaign. The developers refer to this tool by the name Kazuar, which is a Trojan written using the Microsoft .NET Framework that offers actors complete access to compromised systems targeted by its operator. Kazuar includes a highly functional command set, which includes the ability to remotely load additional plugins to increase the Trojan’s capabilities. During our analysis of this malware we uncovered interesting code paths and other artifacts that may indicate a Mac or Unix variant of this same tool also exists. Also, we discovered a unique feature within Kazuar: it exposes its capabilities through an Application Programming Interface (API) to a built-in webserver. We suspect the Kazuar tool may be linked to the Turla threat actor group (also known as Uroburos and Snake), who have been reported to have compromised embassies, defense contractors, educational institutions, and research organizations across the globe. A hallmark of Turla operations is iterations of their tools and code lineage in Kazuar can be traced back to at least 2005. If the hypothesis is correct and the Turla threat group is using Kazuar, we believe they may be using it as a replacement for Carbon and its derivatives. Of the myriad of tools observed in use by Turla Carbon and its variants were typically deployed as a second stage backdoor within targeted environments and we believe Kazuar may now hold a similar role for Turla operations.", + "value": "Kazuar", "uuid": "a5399473-859b-4c64-999b-a3b4070cd513" }, { - "description": "Many links indicate, that this bot is another product of the people previously involved in Dyreza. It seems to be rewritten from scratch – however, it contains many similar features and solutions to those we encountered analyzing Dyreza (read more).", - "value": "Trick Bot", "meta": { "refs": [ "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", @@ -3118,30 +3107,30 @@ "TrickLoader" ] }, + "description": "Many links indicate, that this bot is another product of the people previously involved in Dyreza. It seems to be rewritten from scratch – however, it contains many similar features and solutions to those we encountered analyzing Dyreza (read more).", + "value": "Trick Bot", "uuid": "a7dbd72f-8d53-48c6-a9db-d16e7648b2d4" }, { - "description": "Netskope Threat Research Labs recently discovered a Phishing-as-a-Service (PhaaS) platform named Hackshit, that records the credentials of the phished bait victims. The phished bait pages are packaged with base64 encoding and served from secure (HTTPS) websites with “.moe” top level domain (TLD) to evade traditional scanners. “.moe” TLD is intended for the purpose of ‘The marketing of products or services deemed’. The victim’s credentials are sent to the Hackshit PhaaS platform via websockets. The Netskope Active Platform can proactively protect customers by creating custom applications and a policy to block all the activities related to Hackshit PhaaS.", - "value": "Hackshit", "meta": { "refs": [ "https://resources.netskope.com/h/i/352356475-phishing-as-a-service-phishing-revamped" ] }, + "description": "Netskope Threat Research Labs recently discovered a Phishing-as-a-Service (PhaaS) platform named Hackshit, that records the credentials of the phished bait victims. The phished bait pages are packaged with base64 encoding and served from secure (HTTPS) websites with “.moe” top level domain (TLD) to evade traditional scanners. “.moe” TLD is intended for the purpose of ‘The marketing of products or services deemed’. The victim’s credentials are sent to the Hackshit PhaaS platform via websockets. The Netskope Active Platform can proactively protect customers by creating custom applications and a policy to block all the activities related to Hackshit PhaaS.", + "value": "Hackshit", "uuid": "02d2ed4a-ce3f-430b-a8da-5b9750c148ca" }, { - "value": "Moneygram Adwind", "meta": { "refs": [ "https://myonlinesecurity.co.uk/new-guidelines-from-moneygram-malspam-delivers-a-brand-new-java-adwind-version/" ] }, - "uuid": "6c6e717d-03c5-496d-83e9-13bdaa408348" + "uuid": "6c6e717d-03c5-496d-83e9-13bdaa408348", + "value": "Moneygram Adwind" }, { - "description": " Banload has been around since the last decade. This malware generally arrives on a victim’s system through a spam email containing an archived file or bundled software as an attachment. In a few cases, this malware may also be dropped by other malware or a drive-by download. When executed, Banload downloads other malware, often banking Trojans, on the victim’s system to carry out further infections.", - "value": "Banload", "meta": { "refs": [ "https://researchcenter.paloaltonetworks.com/2016/03/banload-malware-affecting-brazil-exhibits-unusually-complex-infection-process/", @@ -3150,11 +3139,11 @@ "https://securingtomorrow.mcafee.com/mcafee-labs/banload-trojan-targets-brazilians-with-malware-downloads/" ] }, + "description": " Banload has been around since the last decade. This malware generally arrives on a victim’s system through a spam email containing an archived file or bundled software as an attachment. In a few cases, this malware may also be dropped by other malware or a drive-by download. When executed, Banload downloads other malware, often banking Trojans, on the victim’s system to carry out further infections.", + "value": "Banload", "uuid": "d279bc1c-baa6-49aa-ab1b-7d012ae8db4e" }, { - "description": "This small application is used to download other malware. What makes the bot interesting are various tricks that it uses for deception and self protection.", - "value": "Smoke Loader", "meta": { "refs": [ "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" @@ -3163,21 +3152,21 @@ "Dofoil" ] }, + "description": "This small application is used to download other malware. What makes the bot interesting are various tricks that it uses for deception and self protection.", + "value": "Smoke Loader", "uuid": "81f41bae-2ba9-4cec-9613-776be71645ca" }, { - "description": "The analyzed sample has a recent compilation date (2017-06-24) and is available on VirusTotal. It starts out by resolving several Windows functions using API hashing (CRC32 is used as the hashing function).", - "value": "LockPoS", "meta": { "refs": [ "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/" ] }, + "description": "The analyzed sample has a recent compilation date (2017-06-24) and is available on VirusTotal. It starts out by resolving several Windows functions using API hashing (CRC32 is used as the hashing function).", + "value": "LockPoS", "uuid": "c740c46b-1d95-42b5-ac3d-2bbab071b859" }, { - "description": "Win.Worm.Fadok drops several files. %AppData%\\RAC\\mls.exe or %AppData%\\RAC\\svcsc.exe are instances of the malware which are auto-started when Windows starts. Further, the worm drops and opens a Word document. It connects to the domain wxanalytics[.]ru.", - "value": "Fadok", "meta": { "refs": [ "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm%3AWin32%2FFadok.A", @@ -3187,51 +3176,51 @@ "Win32/Fadok" ] }, + "description": "Win.Worm.Fadok drops several files. %AppData%\\RAC\\mls.exe or %AppData%\\RAC\\svcsc.exe are instances of the malware which are auto-started when Windows starts. Further, the worm drops and opens a Word document. It connects to the domain wxanalytics[.]ru.", + "value": "Fadok", "uuid": "6243b2d1-381b-4aa4-a59f-839afcdf03f2" }, { - "description": "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.", - "value": "Loki Bot", "meta": { "refs": [ "https://phishme.com/loki-bot-malware/" ] }, + "description": "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.", + "value": "Loki Bot", "uuid": "9085faf1-e5ec-4e51-83eb-92620afda7be" }, { - "description": "Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI. \nThroughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost. The malware has evolved over time. In this article, we will analyse this evolution:", - "value": "KONNI", "meta": { "refs": [ "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" ] }, + "description": "Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI. \nThroughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost. The malware has evolved over time. In this article, we will analyse this evolution:", + "value": "KONNI", "uuid": "24ee55e3-697f-482f-8fa8-d05999df40cd" }, { - "description": "Recently, Palo Alto Networks researchers discovered an advanced Android malware we’ve named “SpyDealer” which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature. SpyDealer uses exploits from a commercial rooting app to gain root privilege, which enables the subsequent data theft.", - "value": "SpyDealer", "meta": { "refs": [ "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" ] }, + "description": "Recently, Palo Alto Networks researchers discovered an advanced Android malware we’ve named “SpyDealer” which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature. SpyDealer uses exploits from a commercial rooting app to gain root privilege, which enables the subsequent data theft.", + "value": "SpyDealer", "uuid": "f86b4977-228d-4b31-854d-8bdc92db4653" }, { - "value": "CowerSnail", - "description": "CowerSnail was compiled using Qt and linked with various libraries. This framework provides benefits such as cross-platform capability and transferability of the source code between different operating systems. ", "meta": { "refs": [ "https://securelist.com/cowersnail-from-the-creators-of-sambacry/79087/" ] }, + "description": "CowerSnail was compiled using Qt and linked with various libraries. This framework provides benefits such as cross-platform capability and transferability of the source code between different operating systems. ", + "value": "CowerSnail", "uuid": "6da16d56-eaf9-475d-a7e0-4a11e0200c14" }, { - "description": "In mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng – Trojan-Banker.AndroidOS.Svpeng.ae. In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services.", - "value": "Svpeng", "meta": { "refs": [ "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/" @@ -3240,158 +3229,158 @@ "trojan-banker.androidos.svpeng.ae" ] }, + "description": "In mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng – Trojan-Banker.AndroidOS.Svpeng.ae. In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services.", + "value": "Svpeng", "uuid": "a33df440-f112-4a5e-a290-3c65dae6091d" }, { - "description": "While investigating a recent security incident, Unit 42 found a webshell that we believe was used by the threat actor to remotely access the network of a targeted Middle Eastern organization. The construction of the webshell was interesting by itself, as it was actually two separate webshells: an initial webshell that was responsible for saving and loading the second fully functional webshell. It is this second webshell that enabled the threat actor to run a variety of commands on the compromised server. Due to these two layers, we use the name TwoFace to track this webshell.\nDuring our analysis, we extracted the commands executed by the TwoFace webshell from the server logs on the compromised server. Our analysis shows that the commands issued by the threat actor date back to June 2016; this suggests that the actor had access to this shell for almost an entire year. The commands issued show the actor was interested in gathering credentials from the compromised server using the Mimikatz tool. We also saw the attacker using the TwoFace webshell to move laterally through the network by copying itself and other webshells to other servers.", - "value": "TwoFace", "meta": { - "type": [ - "webshell" - ], "refs": [ "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/" + ], + "type": [ + "webshell" ] }, + "description": "While investigating a recent security incident, Unit 42 found a webshell that we believe was used by the threat actor to remotely access the network of a targeted Middle Eastern organization. The construction of the webshell was interesting by itself, as it was actually two separate webshells: an initial webshell that was responsible for saving and loading the second fully functional webshell. It is this second webshell that enabled the threat actor to run a variety of commands on the compromised server. Due to these two layers, we use the name TwoFace to track this webshell.\nDuring our analysis, we extracted the commands executed by the TwoFace webshell from the server logs on the compromised server. Our analysis shows that the commands issued by the threat actor date back to June 2016; this suggests that the actor had access to this shell for almost an entire year. The commands issued show the actor was interested in gathering credentials from the compromised server using the Mimikatz tool. We also saw the attacker using the TwoFace webshell to move laterally through the network by copying itself and other webshells to other servers.", + "value": "TwoFace", "uuid": "9334c430-0d83-4893-8982-66a1dc1a2b11" }, { - "description": "Like TwoFace, the IntrudingDivisor webshell requires the threat actor to authenticate before issuing commands. To authenticate, the actor must provide two pieces of information, first an integer that is divisible by 5473 and a string whose MD5 hash is “9A26A0E7B88940DAA84FC4D5E6C61AD0”. Upon successful authentication, the webshell has a command handler that uses integers within the request to determine the command to execute - To complete", - "value": "IntrudingDivisor", "meta": { - "type": [ - "webshell" - ], "refs": [ "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/" + ], + "type": [ + "webshell" ] }, + "description": "Like TwoFace, the IntrudingDivisor webshell requires the threat actor to authenticate before issuing commands. To authenticate, the actor must provide two pieces of information, first an integer that is divisible by 5473 and a string whose MD5 hash is “9A26A0E7B88940DAA84FC4D5E6C61AD0”. Upon successful authentication, the webshell has a command handler that uses integers within the request to determine the command to execute - To complete", + "value": "IntrudingDivisor", "uuid": "bb2bd10b-b36d-4390-bf60-bd8d2d7cedec" }, { - "description": "Attacks that use completely fileless malware are a rare occurrence, so we thought it important to discuss a new trojan known as JS_POWMET (Detected by Trend Micro as JS_POWMET.DE), which arrives via an autostart registry procedure. By utilizing a completely fileless infection chain, the malware will be more difficult to analyze using a sandbox, making it more difficult for anti-malware engineers to examine.", - "value": "JS_POWMET", "meta": { "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/" ] }, + "description": "Attacks that use completely fileless malware are a rare occurrence, so we thought it important to discuss a new trojan known as JS_POWMET (Detected by Trend Micro as JS_POWMET.DE), which arrives via an autostart registry procedure. By utilizing a completely fileless infection chain, the malware will be more difficult to analyze using a sandbox, making it more difficult for anti-malware engineers to examine.", + "value": "JS_POWMET", "uuid": "c602edae-b186-4c60-a4f6-8785d6aa0eb0" }, { - "value": "EngineBox Malware", - "description": "The main malware capabilities include a privilege escalation attempt using MS16–032 exploitation; a HTTP Proxy to intercept banking transactions; a backdoor to make it possible for the attacker to issue arbitrary remote commands and a C&C through a IRC channel. As it's being identified as a Generic Trojan by most of VirusTotal (VT) engines, let s name it EngineBox— the core malware class I saw after reverse engineering it.", "meta": { "refs": [ "https://isc.sans.edu/diary/22736" ] }, + "description": "The main malware capabilities include a privilege escalation attempt using MS16–032 exploitation; a HTTP Proxy to intercept banking transactions; a backdoor to make it possible for the attacker to issue arbitrary remote commands and a C&C through a IRC channel. As it's being identified as a Generic Trojan by most of VirusTotal (VT) engines, let s name it EngineBox— the core malware class I saw after reverse engineering it.", + "value": "EngineBox Malware", "uuid": "17839df6-aa15-4269-b4b1-9e7ae8cfec1e" }, { - "value": "Joao", - "description": "Spread via hacked Aeria games offered on unofficial websites, the modular malware can download and install virtually any other malicious code on the victim’s computer. To spread their malware, the attackers behind Joao have misused massively-multiplayer online role-playing games (MMORPGs) originally published by Aeria Games. At the time of writing this article, the Joao downloader was being distributed via the anime-themed MMORPG Grand Fantasia offered on gf.ignitgames[.]to.", "meta": { "refs": [ "https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/" ] }, + "description": "Spread via hacked Aeria games offered on unofficial websites, the modular malware can download and install virtually any other malicious code on the victim’s computer. To spread their malware, the attackers behind Joao have misused massively-multiplayer online role-playing games (MMORPGs) originally published by Aeria Games. At the time of writing this article, the Joao downloader was being distributed via the anime-themed MMORPG Grand Fantasia offered on gf.ignitgames[.]to.", + "value": "Joao", "uuid": "673d05fa-4066-442c-bdb6-0c0a2da5ae62" }, { - "value": "Fireball", - "description": "Upon execution, Fireball installs a browser hijacker as well as any number of adware programs. Several different sources have linked different indicators of compromise (IOCs) and varied payloads, but a few details remain the same.", "meta": { "refs": [ "https://www.cylance.com/en_us/blog/threat-spotlight-is-fireball-adware-or-malware.html" ] }, + "description": "Upon execution, Fireball installs a browser hijacker as well as any number of adware programs. Several different sources have linked different indicators of compromise (IOCs) and varied payloads, but a few details remain the same.", + "value": "Fireball", "uuid": "968df869-7f60-4420-989f-23dfdbd58668" }, { - "value": "ShadowPad", - "description": "ShadowPad is a modular cyber-attack platform that attackers deploy in victim networks to gain flexible remote control capabilities. The platform is designed to run in two stages. The first stage is a shellcode that was embedded in a legitimate nssock2.dll used by Xshell, Xmanager and other software packages produced by NetSarang. This stage is responsible for connecting to “validation” command and control (C&C) servers and getting configuration information including the location of the real C&C server, which may be unique per victim. The second stage acts as an orchestrator for five main modules responsible for C&C communication, working with the DNS protocol, loading and injecting additional plugins into the memory of other processes.", "meta": { "refs": [ "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf" ] }, + "description": "ShadowPad is a modular cyber-attack platform that attackers deploy in victim networks to gain flexible remote control capabilities. The platform is designed to run in two stages. The first stage is a shellcode that was embedded in a legitimate nssock2.dll used by Xshell, Xmanager and other software packages produced by NetSarang. This stage is responsible for connecting to “validation” command and control (C&C) servers and getting configuration information including the location of the real C&C server, which may be unique per victim. The second stage acts as an orchestrator for five main modules responsible for C&C communication, working with the DNS protocol, loading and injecting additional plugins into the memory of other processes.", + "value": "ShadowPad", "uuid": "2448a4e1-46e3-4c42-9fd1-f51f8ede58c1" }, { - "value": "IoT_reaper", - "description": "IoT_reaper is fairly large now and is actively expanding. For example, there are multiple C2s we are tracking, the most recently data (October 19) from just one C2 shows the number of unique active bot IP address is more than 10k per day. While at the same time, there are millions of potential vulnerable device IPs being queued into the c2 system waiting to be processed by an automatic loader that injects malicious code to the devices to expand the size of the botnet.", "meta": { "refs": [ "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/" ] }, + "description": "IoT_reaper is fairly large now and is actively expanding. For example, there are multiple C2s we are tracking, the most recently data (October 19) from just one C2 shows the number of unique active bot IP address is more than 10k per day. While at the same time, there are millions of potential vulnerable device IPs being queued into the c2 system waiting to be processed by an automatic loader that injects malicious code to the devices to expand the size of the botnet.", + "value": "IoT_reaper", "uuid": "6052becf-3060-444c-8ed7-d4a3901ae7dd" }, { - "value": "FormBook", - "description": "FormBook is a data stealer and form grabber that has been advertised in various hacking forums since early 2016.", "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/" ] }, + "description": "FormBook is a data stealer and form grabber that has been advertised in various hacking forums since early 2016.", + "value": "FormBook", "uuid": "c7e7063b-b2a2-4046-8a19-94dea018eaa0" }, { - "value": "Dimnie", - "description": "Dimnie, the commonly agreed upon name for the binary dropped by the PowerShell script above, has been around for several years. Palo Alto Networks has observed samples dating back to early 2014 with identical command and control mechanisms. The malware family serves as a downloader and has a modular design encompassing various information stealing functionalities. Each module is injected into the memory of core Windows processes, further complicating analysis. During its lifespan, it appears to have undergone few changes and its stealthy command and control methods combined with a previously Russian focused target base has allowed it to fly under the radar up until this most recent campaign.", "meta": { "refs": [ "https://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/" ] }, + "description": "Dimnie, the commonly agreed upon name for the binary dropped by the PowerShell script above, has been around for several years. Palo Alto Networks has observed samples dating back to early 2014 with identical command and control mechanisms. The malware family serves as a downloader and has a modular design encompassing various information stealing functionalities. Each module is injected into the memory of core Windows processes, further complicating analysis. During its lifespan, it appears to have undergone few changes and its stealthy command and control methods combined with a previously Russian focused target base has allowed it to fly under the radar up until this most recent campaign.", + "value": "Dimnie", "uuid": "9fed4326-a7ad-4c58-ab87-90ac3957d82f" }, { - "value": "ALMA Communicator", - "description": "The ALMA Communicator Trojan is a backdoor Trojan that uses DNS tunneling exclusively to receive commands from the adversary and to exfiltrate data. This Trojan specifically reads in a configuration from the cfg file that was initially created by the Clayslide delivery document. ALMA does not have an internal configuration, so the Trojan does not function without the cfg file created by the delivery document.", "meta": { "refs": [ "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/" ] }, + "description": "The ALMA Communicator Trojan is a backdoor Trojan that uses DNS tunneling exclusively to receive commands from the adversary and to exfiltrate data. This Trojan specifically reads in a configuration from the cfg file that was initially created by the Clayslide delivery document. ALMA does not have an internal configuration, so the Trojan does not function without the cfg file created by the delivery document.", + "value": "ALMA Communicator", "uuid": "45de0d28-5a20-4190-ae21-68067e36e316" }, { - "value": "Silence", - "description": "In September 2017, we discovered a new targeted attack on financial institutions. Victims are mostly Russian banks but we also found infected organizations in Malaysia and Armenia. The attackers were using a known but still very effective technique for cybercriminals looking to make money: gaining persistent access to an internal banking network for a long period of time, making video recordings of the day to day activity on bank employees’ PCs, learning how things works in their target banks, what software is being used, and then using that knowledge to steal as much money as possible when ready. \nWe saw that technique before in Carbanak, and other similar cases worldwide. The infection vector is a spear-phishing email with a malicious attachment. An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims.", "meta": { "refs": [ "https://securelist.com/the-silence/83009/" ] }, + "description": "In September 2017, we discovered a new targeted attack on financial institutions. Victims are mostly Russian banks but we also found infected organizations in Malaysia and Armenia. The attackers were using a known but still very effective technique for cybercriminals looking to make money: gaining persistent access to an internal banking network for a long period of time, making video recordings of the day to day activity on bank employees’ PCs, learning how things works in their target banks, what software is being used, and then using that knowledge to steal as much money as possible when ready. \nWe saw that technique before in Carbanak, and other similar cases worldwide. The infection vector is a spear-phishing email with a malicious attachment. An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims.", + "value": "Silence", "uuid": "304fd753-c917-4008-8f85-81390c37a070" }, { - "value": "Volgmer", - "description": "Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries. It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer", "meta": { "refs": [ "https://www.us-cert.gov/ncas/alerts/TA17-318B" ] }, + "description": "Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries. It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer", + "value": "Volgmer", "uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931" }, { - "value": "Nymaim", - "description": "Nymaim is a 2-year-old strain of malware most closely associated with ransomware. We have seen recent attacks spreading it using an established email marketing service provider to avoid blacklists and detection tools. But instead of ransomware, the malware is now being used to distribute banking Trojans", "meta": { "refs": [ "https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0" ] }, + "description": "Nymaim is a 2-year-old strain of malware most closely associated with ransomware. We have seen recent attacks spreading it using an established email marketing service provider to avoid blacklists and detection tools. But instead of ransomware, the malware is now being used to distribute banking Trojans", + "value": "Nymaim", "uuid": "d36f4834-b958-4f32-aff0-5263e0034408" }, { - "value": "GootKit", - "description": "As was the case earlier, the bot Gootkit is written in NodeJS, and is downloaded to a victim computer via a chain of downloaders. The main purpose of the bot also remained the same – to steal banking data. The new Gootkit version, detected in September, primarily targets clients of European banks, including those in Germany, France, Italy, the Netherlands, Poland, etc.", "meta": { "refs": [ "https://securelist.com/inside-the-gootkit-cc-server/76433/", @@ -3403,21 +3392,21 @@ "Gootkit" ] }, + "description": "As was the case earlier, the bot Gootkit is written in NodeJS, and is downloaded to a victim computer via a chain of downloaders. The main purpose of the bot also remained the same – to steal banking data. The new Gootkit version, detected in September, primarily targets clients of European banks, including those in Germany, France, Italy, the Netherlands, Poland, etc.", + "value": "GootKit", "uuid": "07ffcf9f-b9c0-4b22-af4b-78527427e6f5" }, { - "value": "Agent Tesla", - "description": "Agent Tesla is modern powerful keystroke logger. It provides monitoring your personel computer via keyboard and screenshot. Keyboard, screenshot and registered passwords are sent in log. You can receive your logs via e-mail, ftp or php(web panel). ", "meta": { "refs": [ "https://www.agenttesla.com/" ] }, + "description": "Agent Tesla is modern powerful keystroke logger. It provides monitoring your personel computer via keyboard and screenshot. Keyboard, screenshot and registered passwords are sent in log. You can receive your logs via e-mail, ftp or php(web panel). ", + "value": "Agent Tesla", "uuid": "f8cd62cb-b9d3-4352-8f46-0961cfde104c" }, { - "value": "Ordinypt", - "description": "A new ransomware strain called Ordinypt is currently targeting victims in Germany, but instead of encrypting users' documents, the ransomware rewrites files with random data. Ordinypt is actually a wiper and not ransomware because it does not bother encrypting anything, but just replaces files with random data.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/" @@ -3426,11 +3415,11 @@ "HSDFSDCrypt" ] }, + "description": "A new ransomware strain called Ordinypt is currently targeting victims in Germany, but instead of encrypting users' documents, the ransomware rewrites files with random data. Ordinypt is actually a wiper and not ransomware because it does not bother encrypting anything, but just replaces files with random data.", + "value": "Ordinypt", "uuid": "1d46f816-d159-4457-b98e-c34307d90655" }, { - "value": "StrongPity2", - "description": "Detected by ESET as Win32/StrongPity2, this spyware notably resembles one that was attributed to the group called StrongPity.", "meta": { "synonyms": [ "Win32/StrongPity2" @@ -3439,32 +3428,32 @@ "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/" ] }, + "description": "Detected by ESET as Win32/StrongPity2, this spyware notably resembles one that was attributed to the group called StrongPity.", + "value": "StrongPity2", "uuid": "d422e7c9-a2ac-45b2-9804-61d16a6e30e7" }, { - "value": "wp-vcd", - "description": "WordPress site owners should be on the lookout for a malware strain tracked as wp-vcd that hides in legitimate WordPress files and that is used to add a secret admin user and grant attackers control over infected sites.\nThe malware was first spotted online over the summer by Italian security researcher Manuel D'Orso.\nThe initial version of this threat was loaded via an include call for the wp-vcd.php file —hence the malware's name— and injected malicious code into WordPress core files such as functions.php and class.wp.php. This was not a massive campaign, but attacks continued throughout the recent months.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/wp-vcd-wordpress-malware-campaign-is-back/", "https://www.bleepingcomputer.com/news/security/wp-vcd-wordpress-malware-spreads-via-nulled-wordpress-themes/" ] }, + "description": "WordPress site owners should be on the lookout for a malware strain tracked as wp-vcd that hides in legitimate WordPress files and that is used to add a secret admin user and grant attackers control over infected sites.\nThe malware was first spotted online over the summer by Italian security researcher Manuel D'Orso.\nThe initial version of this threat was loaded via an include call for the wp-vcd.php file —hence the malware's name— and injected malicious code into WordPress core files such as functions.php and class.wp.php. This was not a massive campaign, but attacks continued throughout the recent months.", + "value": "wp-vcd", "uuid": "99de56dc-92c5-4540-91bc-a6cd1e3a3c7f" }, { - "value": "MoneyTaker 5.0", - "description": "malicious program for auto replacement of payment data in AWS CBR", "meta": { "refs": [ "https://www.group-ib.com/blog/moneytaker" ] }, + "description": "malicious program for auto replacement of payment data in AWS CBR", + "value": "MoneyTaker 5.0", "uuid": "0acb6f04-7e51-44bb-843c-4bb55a3647d5" }, { - "value": "Quant Loader", - "description": "Described as a \"professional exe loader / dll dropper\" Quant Loader is in fact a very basic trojan downloader. It began being advertised on September 1, 2016 on various Russian underground forums.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/quant-loader-is-now-bundled-with-other-crappy-malware/", @@ -3472,21 +3461,21 @@ "https://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/" ] }, + "description": "Described as a \"professional exe loader / dll dropper\" Quant Loader is in fact a very basic trojan downloader. It began being advertised on September 1, 2016 on various Russian underground forums.", + "value": "Quant Loader", "uuid": "2d1aadfb-03c1-4580-b6ac-f12c6941067d" }, { - "value": "SSHDoor", - "description": "The Secure Shell Protocol (SSH) is a very popular protocol used for secure data communication. It is widely used in the Unix world to manage remote servers, transfer files, etc. The modified SSH daemon described here, Linux/SSHDoor.A, is designed to steal usernames and passwords and allows remote access to the server via either an hardcoded password or SSH key.", "meta": { "refs": [ "https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/" ] }, + "description": "The Secure Shell Protocol (SSH) is a very popular protocol used for secure data communication. It is widely used in the Unix world to manage remote servers, transfer files, etc. The modified SSH daemon described here, Linux/SSHDoor.A, is designed to steal usernames and passwords and allows remote access to the server via either an hardcoded password or SSH key.", + "value": "SSHDoor", "uuid": "f258f96c-8281-4b24-8aa7-4e23d1a5540e" }, { - "value": "TRISIS", - "description": "(Dragos Inc.) The team identifies this malware as TRISIS because it targets Schneider Electric’s Triconex safety instrumented system (SIS) enabling the replacement of logic in final control elements. TRISIS is highly targeted and likely does not pose an immediate threat to other Schneider Electric customers, let alone other SIS products. (FireEye Inc.) This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack. TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. ", "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", @@ -3496,11 +3485,11 @@ "TRITON" ] }, + "description": "(Dragos Inc.) The team identifies this malware as TRISIS because it targets Schneider Electric’s Triconex safety instrumented system (SIS) enabling the replacement of logic in final control elements. TRISIS is highly targeted and likely does not pose an immediate threat to other Schneider Electric customers, let alone other SIS products. (FireEye Inc.) This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack. TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. ", + "value": "TRISIS", "uuid": "8a45d1a5-8157-4303-a47a-352282065059" }, { - "value": "OSX.Pirrit", - "description": "macOS adware strain ", "meta": { "refs": [ "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", @@ -3511,41 +3500,41 @@ "OSX/Pirrit" ] }, + "description": "macOS adware strain ", + "value": "OSX.Pirrit", "uuid": "e2b7ddc2-2fce-4ef9-9054-609e74a8775e" }, { - "value": "GratefulPOS", - "description": "GratefulPOS has the following functions\n1. Access arbitrary processes on the target POS system\n2. Scrape track 1 and 2 payment card data from the process(es)\n3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.", "meta": { "refs": [ "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season" ] }, + "description": "GratefulPOS has the following functions\n1. Access arbitrary processes on the target POS system\n2. Scrape track 1 and 2 payment card data from the process(es)\n3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.", + "value": "GratefulPOS", "uuid": "4cfe3f22-96b8-4d3d-a6cc-85835d9471e2" }, { - "value": "PRILEX", - "description": "Prilex malware steals the information of the infected ATM’s users. In this case, it was a Brazilian bank, but consider the implications of such an attack in your region, whether you’re a customer or the bank.", "meta": { "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/" ] }, + "description": "Prilex malware steals the information of the infected ATM’s users. In this case, it was a Brazilian bank, but consider the implications of such an attack in your region, whether you’re a customer or the bank.", + "value": "PRILEX", "uuid": "523e8772-0610-424c-bcfb-9123bcb8328f" }, { - "value": "CUTLET MAKER", - "description": "Cutlet Maker is an ATM malware designed to empty the machine of all its banknotes. Interestingly, while its authors have been advertising its sale, their competitors have already cracked the program, allowing anybody to use it for free.", "meta": { "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/" ] }, + "description": "Cutlet Maker is an ATM malware designed to empty the machine of all its banknotes. Interestingly, while its authors have been advertising its sale, their competitors have already cracked the program, allowing anybody to use it for free.", + "value": "CUTLET MAKER", "uuid": "c03e7054-6013-4f69-994d-7cdaa41588ed" }, { - "value": "Satori", - "description": "According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/satori-botnet-has-sudden-awakening-with-over-280-000-active-bots/", @@ -3555,81 +3544,81 @@ "Okiru" ] }, + "description": "According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.", + "value": "Satori", "uuid": "1ad4697b-3388-48ed-8621-85abebf5dbbf" }, { - "value": "PowerSpritz", - "description": "PowerSpritz is a Windows executable that hides both its legitimate payload and malicious PowerShell command using a non-standard implementation of the already rarely used Spritz encryption algorithm (see the Attribution section for additional analysis of the Spritz implementation). This malicious downloader has been observed being delivered via spearphishing attacks using the TinyCC link shortener service to redirect to likely attacker-controlled servers hosting the malicious PowerSpritz payload.", "meta": { "refs": [ "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ] }, + "description": "PowerSpritz is a Windows executable that hides both its legitimate payload and malicious PowerShell command using a non-standard implementation of the already rarely used Spritz encryption algorithm (see the Attribution section for additional analysis of the Spritz implementation). This malicious downloader has been observed being delivered via spearphishing attacks using the TinyCC link shortener service to redirect to likely attacker-controlled servers hosting the malicious PowerSpritz payload.", + "value": "PowerSpritz", "uuid": "5629bc84-58eb-42d9-adc6-cd0eeb08ccaf" }, { - "value": "PowerRatankba", - "description": "PowerRatankba is used for the same purpose as Ratankba: as a first stage reconnaissance tool and for the deployment of further stage implants on targets that are deemed interesting by the actor. Similar to its predecessor, PowerRatankba utilizes HTTP for its C&C communication.", "meta": { "refs": [ "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ] }, + "description": "PowerRatankba is used for the same purpose as Ratankba: as a first stage reconnaissance tool and for the deployment of further stage implants on targets that are deemed interesting by the actor. Similar to its predecessor, PowerRatankba utilizes HTTP for its C&C communication.", + "value": "PowerRatankba", "uuid": "1f1be19e-d1b5-408b-90a0-03ad27cc8924" }, { - "value": "Ratankba", - "description": "In one instance we observed, one of the initial malware delivered to the victim, RATANKBA, connects to a legitimate but compromised website from which a hack tool (nbt_scan.exe) is also downloaded. The domain also serves as one of the campaign’s platform for C&C communication.\nThe threat actor uses RATANKBA to survey the lay of the land as it looks into various aspects of the host machine where it has been initially downloaded—the machine that has been victim of the watering hole attack. Information such as the running tasks, domain, shares, user information, if the host has default internet connectivity, and so forth.", "meta": { "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/ratankba-watering-holes-against-enterprises/" ] }, + "description": "In one instance we observed, one of the initial malware delivered to the victim, RATANKBA, connects to a legitimate but compromised website from which a hack tool (nbt_scan.exe) is also downloaded. The domain also serves as one of the campaign’s platform for C&C communication.\nThe threat actor uses RATANKBA to survey the lay of the land as it looks into various aspects of the host machine where it has been initially downloaded—the machine that has been victim of the watering hole attack. Information such as the running tasks, domain, shares, user information, if the host has default internet connectivity, and so forth.", + "value": "Ratankba", "uuid": "64b3c66b-fc70-4b5a-83a9-866cde2ccb0b" }, { - "value": "USBStealer", - "description": "USBStealer serves as a network tool that extracts sensitive information from air-gapped networks. We have not seen this component since mid 2015.", "meta": { "refs": [ "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" ] }, + "description": "USBStealer serves as a network tool that extracts sensitive information from air-gapped networks. We have not seen this component since mid 2015.", + "value": "USBStealer", "uuid": "44909efb-7cd3-42e3-b225-9f3e96b5f362" }, { - "value": "Downdelph", - "description": "Downdelph is a lightweight downloader developed in the Delphi programming language. As we already mentioned in our white paper, its period of activity was from November 2013 to September 2015 and there have been no new variants seen since.", "meta": { "refs": [ "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" ] }, + "description": "Downdelph is a lightweight downloader developed in the Delphi programming language. As we already mentioned in our white paper, its period of activity was from November 2013 to September 2015 and there have been no new variants seen since.", + "value": "Downdelph", "uuid": "837a295c-15ff-41c0-9b7e-5f2fb502b00a" }, { - "value": "CoinMiner", - "description": "Monero-mining malware", "meta": { "refs": [ "https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/" ] }, + "description": "Monero-mining malware", + "value": "CoinMiner", "uuid": "89bd2020-2594-45c4-8957-522c0ac41370" }, { - "value": "FruitFly", - "description": "A fully-featured backdoor, designed to perversely spy on Mac users", "meta": { "refs": [ "https://objective-see.com/blog/blog_0x25.html#FruitFly" ] }, + "description": "A fully-featured backdoor, designed to perversely spy on Mac users", + "value": "FruitFly", "uuid": "6a6525b9-4656-4973-ab45-588592395d0c" }, { - "value": "MacDownloader", - "description": "Iranian macOS exfiltration agent, targeting the 'defense industrial base' and human rights advocates.", "meta": { "refs": [ "https://objective-see.com/blog/blog_0x25.html#MacDownloader" @@ -3638,11 +3627,11 @@ "iKitten" ] }, + "description": "Iranian macOS exfiltration agent, targeting the 'defense industrial base' and human rights advocates.", + "value": "MacDownloader", "uuid": "14f08f6f-7f58-48a8-8469-472244ffb571" }, { - "value": "Empyre", - "description": "The open-source macOS backdoor, 'Empye', maliciously packaged into a macro'd Word document", "meta": { "refs": [ "https://objective-see.com/blog/blog_0x25.html#Empyre" @@ -3651,51 +3640,51 @@ "Empye" ] }, + "description": "The open-source macOS backdoor, 'Empye', maliciously packaged into a macro'd Word document", + "value": "Empyre", "uuid": "cf55bbb8-37eb-4cc6-ac14-7b42b950c687" }, { - "value": "Proton", - "description": "A fully-featured macOS backdoor, designed to collect and exfiltrate sensitive user data such as 1Password files, browser login data, and keychains.", "meta": { "refs": [ "https://objective-see.com/blog/blog_0x25.html#Proton" ] }, + "description": "A fully-featured macOS backdoor, designed to collect and exfiltrate sensitive user data such as 1Password files, browser login data, and keychains.", + "value": "Proton", "uuid": "a495d254-7092-4a63-9872-3a82c13fe2dd" }, { - "value": "Mughthesec", - "description": "Adware which hijacks a macOS user's homepage to redirect search queries.", "meta": { "refs": [ "https://objective-see.com/blog/blog_0x25.html" ] }, + "description": "Adware which hijacks a macOS user's homepage to redirect search queries.", + "value": "Mughthesec", "uuid": "4e2f0af2-6d2d-4a49-adc9-fae3745fcb72" }, { - "value": "Pwnet", - "description": "A macOS crypto-currency miner, distributed via a trojaned 'CS-GO' hack.", "meta": { "refs": [ "https://objective-see.com/blog/blog_0x25.html" ] }, + "description": "A macOS crypto-currency miner, distributed via a trojaned 'CS-GO' hack.", + "value": "Pwnet", "uuid": "29e52693-b325-4c14-93de-8f2ff9dca8bf" }, { - "value": "CpuMeaner", - "description": "A macOS crypto-currency mining trojan.", "meta": { "refs": [ "https://objective-see.com/blog/blog_0x25.html" ] }, + "description": "A macOS crypto-currency mining trojan.", + "value": "CpuMeaner", "uuid": "5bc62523-dc80-46b4-b5cb-9caf44c11552" }, { - "value": "Travle", - "description": "The Travle sample found during our investigation was a DLL with a single exported function (MSOProtect). The malware name Travle was chosen given a string found in early samples of this family: “Travle Path Failed!”. This typo was replaced with correct word “Travel” in newer releases. We believe that Travle could be a successor to the NetTraveler family.", "meta": { "refs": [ "https://securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/83455/" @@ -3704,50 +3693,51 @@ "PYLOT" ] }, + "description": "The Travle sample found during our investigation was a DLL with a single exported function (MSOProtect). The malware name Travle was chosen given a string found in early samples of this family: “Travle Path Failed!”. This typo was replaced with correct word “Travel” in newer releases. We believe that Travle could be a successor to the NetTraveler family.", + "value": "Travle", "uuid": "9d689318-2bc1-4bfb-92ee-a81fea35434f" }, { - "value": "Digmine", - "description": "Digmine is coded in AutoIt, and sent to would-be victims posing as a video file but is actually an AutoIt executable script. If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account’s friends. The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line. This functionality’s code is pushed from the command-and-control (C&C) server, which means it can be updated.", "meta": { "refs": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/" ] }, + "description": "Digmine is coded in AutoIt, and sent to would-be victims posing as a video file but is actually an AutoIt executable script. If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account’s friends. The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line. This functionality’s code is pushed from the command-and-control (C&C) server, which means it can be updated.", + "value": "Digmine", "uuid": "d248a27c-d036-4032-bc70-803a1b0c8148" }, { - "description": "TSCookie itself only serves as a downloader. It expands functionality by downloading modules from C&C servers. The sample that was examined downloaded a DLL file which has exfiltrating function among many others (hereafter “TSCookieRAT”). Downloaded modules only runs on memory.", - "value": "TSCookie", "meta": { "refs": [ "http://blog.jpcert.or.jp/.s/2018/03/malware-tscooki-7aa0.html" ] - } + }, + "description": "TSCookie itself only serves as a downloader. It expands functionality by downloading modules from C&C servers. The sample that was examined downloaded a DLL file which has exfiltrating function among many others (hereafter “TSCookieRAT”). Downloaded modules only runs on memory.", + "value": "TSCookie", + "uuid": "a71ed71f-b8f4-416d-9c57-910a42e59430" }, { - "value": "Exforel", - "description": "Exforel backdoor malware, VirTool:WinNT/Exforel.A, backdoor implemented at the Network Driver Interface Specification (NDIS) level.", "meta": { "refs": [ "http://news.softpedia.com/news/Exforel-Backdoor-Implemented-at-NDIS-Level-to-Be-More-Stealthy-Experts-Say-313567.shtml" ] }, + "description": "Exforel backdoor malware, VirTool:WinNT/Exforel.A, backdoor implemented at the Network Driver Interface Specification (NDIS) level.", + "value": "Exforel", "uuid": "3119554e-236e-11e8-ae2e-b7063732fd07" }, { - "value": "Rotinom", - "description": "W32.Rotinom is a worm that spreads by copying itself to removable drives. ", "meta": { "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-011117-0057-99" ] }, + "description": "W32.Rotinom is a worm that spreads by copying itself to removable drives. ", + "value": "Rotinom", "uuid": "5f4be30a-2373-11e8-bbab-774ff49fd040" }, { - "value": "Aurora", - "description": "You probably have heard the recent news about a widespread attack that was carried out using a 0-Day exploit for Internet Explorer as one of the vectors. This exploit is also known as the \"Aurora Exploit\". The code has recently gone public and it was also added to the Metasploit framework.\nThis exploit was used to deliver a malicious payload, known by the name of Trojan.Hydraq, the main purpose of which was to steal information from the compromised computer and report it back to the attackers.\nThe exploit code makes use of known techniques to exploit a vulnerability that exists in the way Internet Explorer handles a deleted object. The final purpose of the exploit itself is to access an object that was previously deleted, causing the code to reference a memory location over which the attacker has control and in which the attacker dropped his malicious code.", "meta": { "refs": [ "https://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis-aurora-0-day-exploit", @@ -3758,11 +3748,11 @@ "Hydraq" ] }, + "description": "You probably have heard the recent news about a widespread attack that was carried out using a 0-Day exploit for Internet Explorer as one of the vectors. This exploit is also known as the \"Aurora Exploit\". The code has recently gone public and it was also added to the Metasploit framework.\nThis exploit was used to deliver a malicious payload, known by the name of Trojan.Hydraq, the main purpose of which was to steal information from the compromised computer and report it back to the attackers.\nThe exploit code makes use of known techniques to exploit a vulnerability that exists in the way Internet Explorer handles a deleted object. The final purpose of the exploit itself is to access an object that was previously deleted, causing the code to reference a memory location over which the attacker has control and in which the attacker dropped his malicious code.", + "value": "Aurora", "uuid": "70c31066-237a-11e8-8eff-37ef1ad0c703" }, { - "value": "Cheshire Cat", - "description": "Oldest Cheshire Cat malware compiled in 2002. It's a very old family of malware.\nThe time stamps may be forged but the malware does have support for very old operating systems. The 2002 implant retrieves a handle for an asr2892 drives that they never got their hands on. It checks for a NE header which is a header type used before PE headers even existed. References to 16bit or DOS on a non 9x platform. This malware implant IS REALLY for old systems.\nThe malware is for espionage - it's very carefully made to stay hidden. Newer versions install as icon handler shell extension for .lnk files. Shell in this case means the program manager because windows explorer was not yet a thing. It sets up COM server objects. It looks like it was written in pure C, but made to look like C++.\nA sensitive implant as well: it checks for all kinds of old MS platforms including Windows NT, win95, win98, winME and more. It checks the patch level as well. A lot of effort was put into adapting this malware to a lot of different operating systems with very granular decision chains.", "meta": { "refs": [ "https://www.youtube.com/watch?v=u2Ry9HTBbZI", @@ -3770,11 +3760,11 @@ "https://www.peerlyst.com/posts/hack-lu-2016-recap-interesting-malware-no-i-m-not-kidding-by-marion-marschalek-claus-cramon" ] }, + "description": "Oldest Cheshire Cat malware compiled in 2002. It's a very old family of malware.\nThe time stamps may be forged but the malware does have support for very old operating systems. The 2002 implant retrieves a handle for an asr2892 drives that they never got their hands on. It checks for a NE header which is a header type used before PE headers even existed. References to 16bit or DOS on a non 9x platform. This malware implant IS REALLY for old systems.\nThe malware is for espionage - it's very carefully made to stay hidden. Newer versions install as icon handler shell extension for .lnk files. Shell in this case means the program manager because windows explorer was not yet a thing. It sets up COM server objects. It looks like it was written in pure C, but made to look like C++.\nA sensitive implant as well: it checks for all kinds of old MS platforms including Windows NT, win95, win98, winME and more. It checks the patch level as well. A lot of effort was put into adapting this malware to a lot of different operating systems with very granular decision chains.", + "value": "Cheshire Cat", "uuid": "7af226a0-237d-11e8-b438-075460988010" }, { - "value": "Downloader-FGO", - "description": "Downloader-FGO is a trojan that comes hidden in malicious programs. Once you install the source (carrier) program, this trojan attempts to gain \"root\" access (administrator level access) to your computer without your knowledge", "meta": { "refs": [ "https://www.solvusoft.com/en/malware/trojans/downloader-fgo/" @@ -3793,32 +3783,33 @@ "Win32/FakePPT_i" ], "uuid": "c565a3a4-2384-11e8-99e9-ebd8ea5c3c3e" - } + }, + "description": "Downloader-FGO is a trojan that comes hidden in malicious programs. Once you install the source (carrier) program, this trojan attempts to gain \"root\" access (administrator level access) to your computer without your knowledge", + "value": "Downloader-FGO", + "uuid": "1a3f876f-0f52-497f-b3ff-b995e2d42c15" }, { - "value": "miniFlame", - "description": "Newly discovered spying malware designed to steal data from infected systems was likely built from the same cyber-weaponry factory that produced two other notorious cyberespionage software Flame and Gauss, a security vendor says.\nKaspersky Lab released a technical paper Monday outlining the discovery of the malware the vendor has dubbed \"miniFlame.\"\nWhile capable of working with Flame and Gauss, miniFlame is a \"small, fully functional espionage module designed for data theft and direct access to infected systems,\" Kaspersky said.", "meta": { "refs": [ "https://securelist.com/miniflame-aka-spe-elvis-and-his-friends-5/31730/", "https://www.csoonline.com/article/2132422/malware-cybercrime/cyberespionage-malware--miniflame--discovered.html" ] }, + "description": "Newly discovered spying malware designed to steal data from infected systems was likely built from the same cyber-weaponry factory that produced two other notorious cyberespionage software Flame and Gauss, a security vendor says.\nKaspersky Lab released a technical paper Monday outlining the discovery of the malware the vendor has dubbed \"miniFlame.\"\nWhile capable of working with Flame and Gauss, miniFlame is a \"small, fully functional espionage module designed for data theft and direct access to infected systems,\" Kaspersky said.", + "value": "miniFlame", "uuid": "16c57264-239f-11e8-9469-0738871e7aa4" }, { - "value": "GHOTEX", - "description": "PE_GHOTEX.A-O is a portable executable (PE is the standard executable format for 32-bit Windows files) virus. PE viruses infect executable Windows files by incorporating their code into these files such that they are executed when the infected files are opened.", "meta": { "refs": [ "https://www.trendmicro.com/vinfo/dk/threat-encyclopedia/archive/malware/pe_ghotex.a-o" ] }, + "description": "PE_GHOTEX.A-O is a portable executable (PE is the standard executable format for 32-bit Windows files) virus. PE viruses infect executable Windows files by incorporating their code into these files such that they are executed when the infected files are opened.", + "value": "GHOTEX", "uuid": "231b7572-239f-11e8-8404-df420a5d403b" }, { - "value": "Shipup", - "description": "Trojan:Win32/Shipup.G is a trojan that modifies the Autorun feature for certain devices.", "meta": { "refs": [ "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Shipup.G", @@ -3828,42 +3819,42 @@ "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~ShipUp-A/detailed-analysis.aspx" ] }, + "description": "Trojan:Win32/Shipup.G is a trojan that modifies the Autorun feature for certain devices.", + "value": "Shipup", "uuid": "4613b76c-4966-44b6-bcd5-f74fa64deb18" }, { - "value": "Neuron", - "description": "Neuron consists of both client and server components. The Neuron client and Neuron service are written using the .NET framework with some codebase overlaps.\nThe Neuron client is used to infect victim endpoints and extract sensitive information from local client machines. The Neuron server is used to infect network infrastructure such as mail and web servers, and acts as local Command & Control (C2) for the client component. Establishing a local C2 limits interaction with the target network and remote hosts. It also reduces the log footprint of actor infrastructure and enables client interaction to appear more convincing as the traffic is contained within the target network. ", "meta": { "refs": [ "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20group%20using%20Neuron%20and%20Nautilus%20tools%20alongside%20Snake%20malware_0.pdf" ] }, + "description": "Neuron consists of both client and server components. The Neuron client and Neuron service are written using the .NET framework with some codebase overlaps.\nThe Neuron client is used to infect victim endpoints and extract sensitive information from local client machines. The Neuron server is used to infect network infrastructure such as mail and web servers, and acts as local Command & Control (C2) for the client component. Establishing a local C2 limits interaction with the target network and remote hosts. It also reduces the log footprint of actor infrastructure and enables client interaction to appear more convincing as the traffic is contained within the target network. ", + "value": "Neuron", "uuid": "5c2eeaec-25e3-11e8-9d28-7f64aba5b173" }, { - "value": "Nautilus", - "description": "Nautilus is very similar to Neuron both in the targeting of mail servers and how client communications are performed. This malware is referred to as Nautilus due to its embedded internal DLL name “nautilus-service.dll”, again sharing some resemblance to Neuron.\nThe Nautilus service listens for HTTP requests from clients to process tasking requests such as executing commands, deleting files and writing files to disk", "meta": { "refs": [ "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20group%20using%20Neuron%20and%20Nautilus%20tools%20alongside%20Snake%20malware_0.pdf" ] }, + "description": "Nautilus is very similar to Neuron both in the targeting of mail servers and how client communications are performed. This malware is referred to as Nautilus due to its embedded internal DLL name “nautilus-service.dll”, again sharing some resemblance to Neuron.\nThe Nautilus service listens for HTTP requests from clients to process tasking requests such as executing commands, deleting files and writing files to disk", + "value": "Nautilus", "uuid": "73cb7ecc-25e3-11e8-a97b-c35ec4e7dcf8" }, { - "value": "Gamut Botnet", - "description": "Gamut was found to be downloaded by a Trojan Downloader that arrives as an attachment from a spam email message. The bot installation is quite simple. After the malware binary has been downloaded, it launches itself from its current directory, usually the Windows %Temp% folder and installs itself as a Windows service.\nThe malware utilizes an anti-VM (virtual machine) trick and terminates itself if it detects that it is running in a virtual machine environment. The bot uses INT 03h trap sporadically in its code, an anti-debugging technique which prevents its code from running within a debugger environment. It can also determine if it is being debugged by using the Kernel32 API - IsDebuggerPresent function.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/necurs-and-gamut-botnets-account-for-97-percent-of-the-internets-spam-emails/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Gamut-Spambot-Analysis/" ] }, + "description": "Gamut was found to be downloaded by a Trojan Downloader that arrives as an attachment from a spam email message. The bot installation is quite simple. After the malware binary has been downloaded, it launches itself from its current directory, usually the Windows %Temp% folder and installs itself as a Windows service.\nThe malware utilizes an anti-VM (virtual machine) trick and terminates itself if it detects that it is running in a virtual machine environment. The bot uses INT 03h trap sporadically in its code, an anti-debugging technique which prevents its code from running within a debugger environment. It can also determine if it is being debugged by using the Kernel32 API - IsDebuggerPresent function.", + "value": "Gamut Botnet", "uuid": "492879ac-285b-11e8-a06e-33f548e66e42" }, { - "value": "CORALDECK", - "description": "CORALDECK is an exfiltration tool that searches for specified files and exfiltrates them in password protected archives using hardcoded HTTP POST headers. CORALDECK has been observed dropping and using Winrar to exfiltrate data in password protected RAR files as well as WinImage and zip archives", "meta": { "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" @@ -3873,11 +3864,11 @@ "FE_APT_InfoStealer_Win_CORALDECK_1" ] }, + "description": "CORALDECK is an exfiltration tool that searches for specified files and exfiltrates them in password protected archives using hardcoded HTTP POST headers. CORALDECK has been observed dropping and using Winrar to exfiltrate data in password protected RAR files as well as WinImage and zip archives", + "value": "CORALDECK", "uuid": "becf81e5-f989-4093-a67d-d55a0483885f" }, { - "value": "DOGCALL", - "description": "DOGCALL is a backdoor commonly distributed as an encoded binary file downloaded and decrypted by shellcode following the exploitation of weaponized documents. DOGCALL is capable of capturing screenshots, logging keystrokes, evading analysis with anti-virtual machine detections, and leveraging cloud storage APIs such as Cloud, Box, Dropbox, and Yandex. DOGCALL was used to target South Korean Government and military organizations in March and April 2017. The malware is typically dropped using an HWP exploit in a lure document. The wiper tool, RUHAPPY, was found on some of the systems targeted by DOGCALL. While DOGCALL is primarily an espionage tool, RUHAPPY is a destructive wiper tool meant to render systems inoperable.", "meta": { "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" @@ -3888,11 +3879,11 @@ "APT.Backdoor.Win.DOGCALL" ] }, + "description": "DOGCALL is a backdoor commonly distributed as an encoded binary file downloaded and decrypted by shellcode following the exploitation of weaponized documents. DOGCALL is capable of capturing screenshots, logging keystrokes, evading analysis with anti-virtual machine detections, and leveraging cloud storage APIs such as Cloud, Box, Dropbox, and Yandex. DOGCALL was used to target South Korean Government and military organizations in March and April 2017. The malware is typically dropped using an HWP exploit in a lure document. The wiper tool, RUHAPPY, was found on some of the systems targeted by DOGCALL. While DOGCALL is primarily an espionage tool, RUHAPPY is a destructive wiper tool meant to render systems inoperable.", + "value": "DOGCALL", "uuid": "a5e851b4-e046-43b6-bc6e-c6c008e3c5aa" }, { - "value": "GELCAPSULE", - "description": "GELCAPSULE is a downloader traditionally dropped or downloaded by an exploit document. GELCAPSULE has been observed downloading SLOWDRIFT to victim systems.", "meta": { "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" @@ -3901,11 +3892,11 @@ "FE_APT_Downloader_Win32_GELCAPSULE_1" ] }, + "description": "GELCAPSULE is a downloader traditionally dropped or downloaded by an exploit document. GELCAPSULE has been observed downloading SLOWDRIFT to victim systems.", + "value": "GELCAPSULE", "uuid": "ac008bbd-f415-458e-96bf-be7d158df2d8" }, { - "value": "HAPPYWORK", - "description": "HAPPYWORK is a malicious downloader that can download and execute a second-stage payload, collect system information, and beacon it to the command and control domains. The collected system information includes: computer name, user name, system manufacturer via registry, IsDebuggerPresent state, and execution path. In November 2016, HAPPYWORK targeted government and financial targets in South Korea.", "meta": { "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" @@ -3916,11 +3907,11 @@ "Downloader.APT.HAPPYWORK" ] }, + "description": "HAPPYWORK is a malicious downloader that can download and execute a second-stage payload, collect system information, and beacon it to the command and control domains. The collected system information includes: computer name, user name, system manufacturer via registry, IsDebuggerPresent state, and execution path. In November 2016, HAPPYWORK targeted government and financial targets in South Korea.", + "value": "HAPPYWORK", "uuid": "656cd201-d57a-4a2f-a201-531eb4922a72" }, { - "value": "KARAE", - "description": "Karae backdoors are typically used as first-stage malware after an initial compromise. The backdoors can collect system information, upload and download files, and may be used to retrieve a second-stage payload. The malware uses public cloud-based storage providers for command and control. In March 2016, KARAE malware was distributed through torrent file-sharing websites for South Korean users. During this campaign, the malware used a YouTube video downloader application as a lure.", "meta": { "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" @@ -3931,11 +3922,11 @@ "Backdoor.APT.Karae" ] }, + "description": "Karae backdoors are typically used as first-stage malware after an initial compromise. The backdoors can collect system information, upload and download files, and may be used to retrieve a second-stage payload. The malware uses public cloud-based storage providers for command and control. In March 2016, KARAE malware was distributed through torrent file-sharing websites for South Korean users. During this campaign, the malware used a YouTube video downloader application as a lure.", + "value": "KARAE", "uuid": "70ca8408-bc45-4d39-acd2-9190ba15ea97" }, { - "value": "MILKDROP", - "description": "MILKDROP is a launcher that sets a persistence registry key and launches a backdoor.", "meta": { "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" @@ -3944,11 +3935,11 @@ "FE_Trojan_Win32_MILKDROP_1" ] }, + "description": "MILKDROP is a launcher that sets a persistence registry key and launches a backdoor.", + "value": "MILKDROP", "uuid": "1064c911-44e6-4c84-8e11-f476a8b06ce8" }, { - "value": "POORAIM", - "description": "POORAIM malware is designed with basic backdoor functionality and leverages AOL Instant Messenger for command and control communications. POORAIM includes the following capabilities: System information enumeration, File browsing, manipulation and exfiltration, Process enumeration, Screen capture, File execution, Exfiltration of browser favorites, and battery status. Exfiltrated data is sent via files over AIM. POORAIM has been involved in campaigns against South Korean media organizations and sites relating to North Korean refugees and defectors since early 2014. Compromised sites have acted as watering holes to deliver newer variants of POORAIM.", "meta": { "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" @@ -3957,11 +3948,11 @@ "Backdoor.APT.POORAIM" ] }, + "description": "POORAIM malware is designed with basic backdoor functionality and leverages AOL Instant Messenger for command and control communications. POORAIM includes the following capabilities: System information enumeration, File browsing, manipulation and exfiltration, Process enumeration, Screen capture, File execution, Exfiltration of browser favorites, and battery status. Exfiltrated data is sent via files over AIM. POORAIM has been involved in campaigns against South Korean media organizations and sites relating to North Korean refugees and defectors since early 2014. Compromised sites have acted as watering holes to deliver newer variants of POORAIM.", + "value": "POORAIM", "uuid": "fe97ace3-9a80-42af-9eae-1f9245927e5d" }, { - "value": "RICECURRY", - "description": "RICECURRY is a Javascript based profiler used to fingerprint a victim's web browser and deliver malicious code in return. Browser, operating system, and Adobe Flash version are detected by RICECURRY, which may be a modified version of PluginDetect.", "meta": { "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" @@ -3970,11 +3961,11 @@ "Exploit.APT.RICECURRY" ] }, + "description": "RICECURRY is a Javascript based profiler used to fingerprint a victim's web browser and deliver malicious code in return. Browser, operating system, and Adobe Flash version are detected by RICECURRY, which may be a modified version of PluginDetect.", + "value": "RICECURRY", "uuid": "6f37edf6-f5e6-4749-82f9-2aa7c30582c4" }, { - "value": "RUHAPPY", - "description": "RUHAPPY is a destructive wiper tool seen on systems targeted by DOGCALL. It attempts to overwrite the MBR, causing the system not to boot. When victims' systems attempt to boot, the string 'Are you Happy?' is displayed. The malware is believed to be tied to the developers of DOGCALL and HAPPYWORK based on similar PDB paths in all three.", "meta": { "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" @@ -3983,11 +3974,11 @@ "FE_APT_Trojan_Win32_RUHAPPY_1" ] }, + "description": "RUHAPPY is a destructive wiper tool seen on systems targeted by DOGCALL. It attempts to overwrite the MBR, causing the system not to boot. When victims' systems attempt to boot, the string 'Are you Happy?' is displayed. The malware is believed to be tied to the developers of DOGCALL and HAPPYWORK based on similar PDB paths in all three.", + "value": "RUHAPPY", "uuid": "96296d57-e9d9-42f1-b08c-c8636369b9aa" }, { - "value": "SHUTTERSPEED", - "description": "SHUTTERSPEED is a backdoor that can collect system information, acquire screenshots, and download/execute an arbitrary executable. SHUTTERSPEED typically requires an argument at runtime in order to execute fully. Observed arguments used by SHUTTERSPEED include: 'help', 'console', and 'sample'. The spear phishing email messages contained documents exploiting RTF vulnerability CVE-2017-0199. Many of the compromised domains in the command and control infrastructure are linked to South Korean companies. Most of these domains host a fake webpage pertinent to targets.", "meta": { "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" @@ -3997,11 +3988,11 @@ "APT.Backdoor.SHUTTERSPEED" ] }, + "description": "SHUTTERSPEED is a backdoor that can collect system information, acquire screenshots, and download/execute an arbitrary executable. SHUTTERSPEED typically requires an argument at runtime in order to execute fully. Observed arguments used by SHUTTERSPEED include: 'help', 'console', and 'sample'. The spear phishing email messages contained documents exploiting RTF vulnerability CVE-2017-0199. Many of the compromised domains in the command and control infrastructure are linked to South Korean companies. Most of these domains host a fake webpage pertinent to targets.", + "value": "SHUTTERSPEED", "uuid": "d909efe3-abc3-4be0-9640-e4727542fa2b" }, { - "value": "SLOWDRIFT", - "description": "SLOWDRIFT is a launcher that communicates via cloud based infrastructure. It sends system information to the attacker command and control and then downloads and executes additional payloads.Lure documents distributing SLOWDRIFT were not tailored for specific victims, suggesting that TEMP.Reaper is attempting to widen its target base across multiple industries and in the private sector. SLOWDRIFT was seen being deployed against academic and strategic targets in South Korea using lure emails with documents leveraging the HWP exploit. Recent SLOWDRIFT samples were uncovered in June 2017 with lure documents pertaining to cyber crime prevention and news stories. These documents were last updated by the same actor who developed KARAE, POORAIM and ZUMKONG.", "meta": { "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" @@ -4012,11 +4003,11 @@ "APT.Downloader.SLOWDRIFT" ] }, + "description": "SLOWDRIFT is a launcher that communicates via cloud based infrastructure. It sends system information to the attacker command and control and then downloads and executes additional payloads.Lure documents distributing SLOWDRIFT were not tailored for specific victims, suggesting that TEMP.Reaper is attempting to widen its target base across multiple industries and in the private sector. SLOWDRIFT was seen being deployed against academic and strategic targets in South Korea using lure emails with documents leveraging the HWP exploit. Recent SLOWDRIFT samples were uncovered in June 2017 with lure documents pertaining to cyber crime prevention and news stories. These documents were last updated by the same actor who developed KARAE, POORAIM and ZUMKONG.", + "value": "SLOWDRIFT", "uuid": "e5a9a2ec-348e-4a2f-98dd-16c3e8845576" }, { - "value": "SOUNDWAVE", - "description": "SOUNDWAVE is a windows based audio capturing utility. Via command line it accepts the -l switch (for listen probably), captures microphone input for 100 minutes, writing the data out to a log file in this format: C:\\Temp\\HncDownload\\YYYYMMDDHHMMSS.log.", "meta": { "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" @@ -4025,11 +4016,11 @@ "FE_APT_HackTool_Win32_SOUNDWAVE_1" ] }, + "description": "SOUNDWAVE is a windows based audio capturing utility. Via command line it accepts the -l switch (for listen probably), captures microphone input for 100 minutes, writing the data out to a log file in this format: C:\\Temp\\HncDownload\\YYYYMMDDHHMMSS.log.", + "value": "SOUNDWAVE", "uuid": "6a0e3c75-5a59-4747-8fec-2e344a328575" }, { - "value": "ZUMKONG", - "description": "ZUMKONG is a credential stealer capable of harvesting usernames and passwords stored by Internet Explorer and Chrome browsers. Stolen credentials are emailed to the attacker via HTTP POST requests to mail[.]zmail[.]ru.", "meta": { "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" @@ -4039,11 +4030,11 @@ "Trojan.APT.Zumkong" ] }, + "description": "ZUMKONG is a credential stealer capable of harvesting usernames and passwords stored by Internet Explorer and Chrome browsers. Stolen credentials are emailed to the attacker via HTTP POST requests to mail[.]zmail[.]ru.", + "value": "ZUMKONG", "uuid": "6f1b9155-5de4-4ef7-9f42-60007599c477" }, { - "value": "WINERACK", - "description": "WINERACK is backdoor whose primary features include user and host information gathering, process creation and termination, filesystem and registry manipulation, as well as the creation of a reverse shell that utilizes statically-linked Wine cmd.exe code to emulate Windows command prompt commands. Other capabilities include the enumeration of files, directories, services, active windows and processes.", "meta": { "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" @@ -4053,39 +4044,39 @@ "Backdoor.APT.WINERACK" ] }, + "description": "WINERACK is backdoor whose primary features include user and host information gathering, process creation and termination, filesystem and registry manipulation, as well as the creation of a reverse shell that utilizes statically-linked Wine cmd.exe code to emulate Windows command prompt commands. Other capabilities include the enumeration of files, directories, services, active windows and processes.", + "value": "WINERACK", "uuid": "49025073-4cd3-43b8-b893-e80a1d3adc04" }, { - "value": "RoyalCli", - "description": "The RoyalCli backdoor appears to be an evolution of BS2005 and uses familiar encryption and encoding routines. The name RoyalCli was chosen by us due to a debugging path left in the binary: 'c:\\users\\wizard\\documents\\visual studio 2010\\Projects\\RoyalCli\\Release\\RoyalCli.pdb' RoyalCli and BS2005 both communicate with the attacker's command and control (C2) through Internet Explorer (IE) by using the COM interface IWebBrowser2. Due to the nature of the technique, this results in C2 data being cached to disk by the IE process; we'll get to this later.", "meta": { "refs": [ "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ] }, + "description": "The RoyalCli backdoor appears to be an evolution of BS2005 and uses familiar encryption and encoding routines. The name RoyalCli was chosen by us due to a debugging path left in the binary: 'c:\\users\\wizard\\documents\\visual studio 2010\\Projects\\RoyalCli\\Release\\RoyalCli.pdb' RoyalCli and BS2005 both communicate with the attacker's command and control (C2) through Internet Explorer (IE) by using the COM interface IWebBrowser2. Due to the nature of the technique, this results in C2 data being cached to disk by the IE process; we'll get to this later.", + "value": "RoyalCli", "uuid": "ac04d0b0-c6b5-4125-acd7-c58dfe7ad4cf" }, { - "value": "RoyalDNS", "meta": { "refs": [ "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ] }, - "uuid": "7b20b78a-df6e-40c7-9a3a-363f040cfad7" + "uuid": "7b20b78a-df6e-40c7-9a3a-363f040cfad7", + "value": "RoyalDNS" }, { - "value": "SHARPKNOT", "meta": { "refs": [ "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf" ] }, - "uuid": "3784c74-691a-4110-94f6-66e60224aa92" + "uuid": "3784c74-691a-4110-94f6-66e60224aa92", + "value": "SHARPKNOT" }, { - "value": "KillDisk Wiper", - "description": "KillDisk, along with the multipurpose, cyberespionage-related BlackEnergy, was used in cyberattacks in late December 2015 against Ukraine’s energy sector as well as its banking, rail, and mining industries. The malware has since metamorphosed into a threat used for digital extortion, affecting Windows and Linux platforms. The note accompanying the ransomware versions, like in the case of Petya, was a ruse: Because KillDisk also overwrites and deletes files (and don’t store the encryption keys on disk or online), recovering the scrambled files was out of the question. The new variant we found, however, does not include a ransom note.", "meta": { "refs": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/" @@ -4094,11 +4085,11 @@ "KillDisk" ] }, + "description": "KillDisk, along with the multipurpose, cyberespionage-related BlackEnergy, was used in cyberattacks in late December 2015 against Ukraine’s energy sector as well as its banking, rail, and mining industries. The malware has since metamorphosed into a threat used for digital extortion, affecting Windows and Linux platforms. The note accompanying the ransomware versions, like in the case of Petya, was a ruse: Because KillDisk also overwrites and deletes files (and don’t store the encryption keys on disk or online), recovering the scrambled files was out of the question. The new variant we found, however, does not include a ransom note.", + "value": "KillDisk Wiper", "uuid": "aef0fdd4-38b6-11e8-afdd-3b6145112467" }, { - "value": "UselessDisk", - "description": "A new MBR bootlocker called DiskWriter, or UselessDisk, has been discovered that overwrites the MBR of a victim's computer and then displays a ransom screen on reboot instead of booting into Windows. This ransom note asks for $300 in bitcoins in order to gain access to Windows again. Might be a wiper.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/the-diskwriter-or-uselessdisk-bootlocker-may-be-a-wiper/" @@ -4107,22 +4098,22 @@ "DiskWriter" ] }, + "description": "A new MBR bootlocker called DiskWriter, or UselessDisk, has been discovered that overwrites the MBR of a victim's computer and then displays a ransom screen on reboot instead of booting into Windows. This ransom note asks for $300 in bitcoins in order to gain access to Windows again. Might be a wiper.", + "value": "UselessDisk", "uuid": "b5112fe0-38b6-11e8-af9f-6381b5e5403f" }, { - "value": "GoScanSSH", - "description": "During a recent Incident Response (IR) engagement, Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics. This is not the first malware family that Talos has observed that was written using Go. However, it is relatively uncommon to see malware written in this programming language. In this particular case, we also observed that the attacker created unique malware binaries for each host that was infected with the GoScanSSH malware. Additionally, the GoScanSSH command and control (C2) infrastructure was observed leveraging the Tor2Web proxy service in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns. ", "meta": { "refs": [ "http://blog.talosintelligence.com/2018/03/goscanssh-analysis.html", "https://www.bleepingcomputer.com/news/security/goscanssh-malware-avoids-government-and-military-servers/" ] }, + "description": "During a recent Incident Response (IR) engagement, Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics. This is not the first malware family that Talos has observed that was written using Go. However, it is relatively uncommon to see malware written in this programming language. In this particular case, we also observed that the attacker created unique malware binaries for each host that was infected with the GoScanSSH malware. Additionally, the GoScanSSH command and control (C2) infrastructure was observed leveraging the Tor2Web proxy service in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns. ", + "value": "GoScanSSH", "uuid": "8c0a7e1e-3cc4-11e8-8f03-2f71e72f737b" }, { - "value": "Rovnix", - "description": "We recently found that the malware family ROVNIX is capable of being distributed via macro downloader. This malware technique was previously seen in the DRIDEX malware, which was notable for using the same routines. DRIDEX is also known as the successor of the banking malware CRIDEX.", "meta": { "refs": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/" @@ -4131,31 +4122,31 @@ "ROVNIX" ] }, + "description": "We recently found that the malware family ROVNIX is capable of being distributed via macro downloader. This malware technique was previously seen in the DRIDEX malware, which was notable for using the same routines. DRIDEX is also known as the successor of the banking malware CRIDEX.", + "value": "Rovnix", "uuid": "a4036a28-3d94-11e8-ad9f-97ada3c6d5fb" }, { - "value": "Kwampirs", - "description": "Once Orangeworm has infiltrated a victim’s network, they deploy Trojan.Kwampirs, a backdoor Trojan that provides the attackers with remote access to the compromised computer. When executed, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.", "meta": { "refs": [ "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" ] }, + "description": "Once Orangeworm has infiltrated a victim’s network, they deploy Trojan.Kwampirs, a backdoor Trojan that provides the attackers with remote access to the compromised computer. When executed, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.", + "value": "Kwampirs", "uuid": "d1e548b8-4793-11e8-8dea-6beff82cac0a" }, { - "value": "Rubella Macro Builder", - "description": "A crimeware kit dubbed the Rubella Macro Builder has recently been gaining popularity among members of a top-tier Russian hacking forum. Despite being relatively new and unsophisticated, the kit has a clear appeal for cybercriminals: it’s cheap, fast, and can defeat basic static antivirus detection.", "meta": { "refs": [ "https://www.flashpoint-intel.com/blog/rubella-macro-builder/" ] }, + "description": "A crimeware kit dubbed the Rubella Macro Builder has recently been gaining popularity among members of a top-tier Russian hacking forum. Despite being relatively new and unsophisticated, the kit has a clear appeal for cybercriminals: it’s cheap, fast, and can defeat basic static antivirus detection.", + "value": "Rubella Macro Builder", "uuid": "b7be6732-4ed5-11e8-8b82-dff39eb7a396" }, { - "value": "kitty Malware", - "description": "Researchers at Imperva's Incapsula said a new piece malware called Kitty leaves a note for cat lovers. It attacks the Drupal content management system (CMS) to illegally mine cryptocurrency Monero.", "meta": { "refs": [ "https://www.zdnet.com/article/hello-kitty-malware-targets-drupal-to-mine-for-cryptocurrency/", @@ -4163,71 +4154,71 @@ "https://cryptovest.com/news/hello-kitty-new-malware-me0ws-its-way-into-mining-monero/" ] }, + "description": "Researchers at Imperva's Incapsula said a new piece malware called Kitty leaves a note for cat lovers. It attacks the Drupal content management system (CMS) to illegally mine cryptocurrency Monero.", + "value": "kitty Malware", "uuid": "85d5da28-51f7-11e8-bbeb-af367d720136" }, { - "value": "Maikspy", - "description": "We discovered a malware family called Maikspy — a multi-platform spyware that can steal users’ private data. The spyware targets Windows and Android users, and first posed as an adult game named after a popular U.S.-based adult film actress. Maikspy, which is an alias that combines the name of the adult film actress and spyware, has been around since 2016.", "meta": { "refs": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/maikspy-spyware-poses-as-adult-game-targets-windows-and-android-users/" ] }, + "description": "We discovered a malware family called Maikspy — a multi-platform spyware that can steal users’ private data. The spyware targets Windows and Android users, and first posed as an adult game named after a popular U.S.-based adult film actress. Maikspy, which is an alias that combines the name of the adult film actress and spyware, has been around since 2016.", + "value": "Maikspy", "uuid": "d83ec444-535c-11e8-ae83-831d0a85d77a" }, { - "value": "Huigezi malware", - "description": "backdoor trojan popular found prevalently in China", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/gaming/chinese-police-arrest-15-people-who-hid-malware-inside-pubg-cheat-apps/" ] }, + "description": "backdoor trojan popular found prevalently in China", + "value": "Huigezi malware", "uuid": "6aef5a32-5381-11e8-ac5a-bb46d8986552" }, { - "value": "FacexWorm", - "description": "Facebook, Chrome, and cryptocurrency users should be on the lookout for a new malware strain named FacexWorm that infects victims for the purpose of stealing passwords, stealing cryptocurrency funds, running cryptojacking scripts, and spamming Facebook users. This new strain was spotted in late April by Trend Micro researchers and appears to be related to two other Facebook Messenger spam campaigns, one that took place last August, and another one from December 2017, the latter spreading the Digmine malware. Researchers say FacexWorm's modus operandi is similar to the previous two campaigns, but with the addition of new techniques aimed at cryptocurrency users.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/facexworm-spreads-via-facebook-messenger-malicious-chrome-extension/" ] }, + "description": "Facebook, Chrome, and cryptocurrency users should be on the lookout for a new malware strain named FacexWorm that infects victims for the purpose of stealing passwords, stealing cryptocurrency funds, running cryptojacking scripts, and spamming Facebook users. This new strain was spotted in late April by Trend Micro researchers and appears to be related to two other Facebook Messenger spam campaigns, one that took place last August, and another one from December 2017, the latter spreading the Digmine malware. Researchers say FacexWorm's modus operandi is similar to the previous two campaigns, but with the addition of new techniques aimed at cryptocurrency users.", + "value": "FacexWorm", "uuid": "86ac8c80-5382-11e8-b893-4f1651951472" }, { - "value": "Bankshot", - "description": "implant used in Operation GhostSecret", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/" ] }, + "description": "implant used in Operation GhostSecret", + "value": "Bankshot", "uuid": "d9431c02-5391-11e8-931f-4beceb8bd697" }, { - "value": "Proxysvc", - "description": "downloader used in Operation GhostSecret", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/" ] }, + "description": "downloader used in Operation GhostSecret", + "value": "Proxysvc", "uuid": "dafba168-5391-11e8-87e4-0f93b75d6ac0" }, { - "value": "Escad", - "description": "backdoor used in Operation GhostSecret", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/" ] }, + "description": "backdoor used in Operation GhostSecret", + "value": "Escad", "uuid": "db36cf9a-5391-11e8-b53a-97adedf48055" }, { - "value": "StalinLocker", - "description": "A new in-development screenlocker/wiper called StalinLocker, or StalinScreamer, was discovered by MalwareHunterTeam that gives you 10 minutes to enter a code or it will try to delete the contents of the drives on the computer. While running, it will display screen that shows Stalin while playing the USSR anthem and displaying a countdown until files are deleted.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/" @@ -4236,7 +4227,30 @@ "StalinScreamer" ] }, + "description": "A new in-development screenlocker/wiper called StalinLocker, or StalinScreamer, was discovered by MalwareHunterTeam that gives you 10 minutes to enter a code or it will try to delete the contents of the drives on the computer. While running, it will display screen that shows Stalin while playing the USSR anthem and displaying a countdown until files are deleted.", + "value": "StalinLocker", "uuid": "50eb8c54-5828-11e8-8d6b-232bb9329fc0" + }, + { + "meta": { + "refs": [ + "https://blog.talosintelligence.com/2018/05/VPNFilter.html", + "https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/new-vpnfilter-malware-infects-routers/", + "https://www.fortinet.com/blog/threat-research/defending-against-the-new-vpnfilter-botnet.html" + ] + }, + "description": "Advanced, likely state-sponsored or state-affiliated modular malware. The code of this malware overlaps with versions of the BlackEnergy malware. Targeted devices are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well as QNAP network-attached storage (NAS) systems.", + "value": "VPNFilter", + "uuid": "895d769e-b288-4977-a4e1-7d64eb134bf9" } - ] + ], + "authors": [ + "Alexandre Dulaunoy", + "Florian Roth", + "Timo Steffens", + "Christophe Vandeplas", + "Dennis Rand" + ], + "type": "tool", + "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries." }