mirror of https://github.com/MISP/misp-galaxy
GitHub
commit
8de9e10626
|
|
@ -541,6 +541,16 @@
|
|||
]
|
||||
},
|
||||
"uuid": "383fd414-3805-11e8-ac12-c7b5af38ff67"
|
||||
},
|
||||
{
|
||||
"value": "Muhstik",
|
||||
"description": "The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS.\nAt the technical level, Netlab says Muhstik is built on top of Tsunami, a very old strain of malware that has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware.\nCrooks have used Tsunami initially for DDoS attacks, but its feature-set has greatly expanded after its source code leaked online.\nThe Muhstik version of Tsunami, according to a Netlab report published today, can launch DDoS attacks, install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts. Muhstik operators are using these three payloads to make money via the infected hosts.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.bleepingcomputer.com/news/security/big-iot-botnet-starts-large-scale-exploitation-of-drupalgeddon-2-vulnerability/"
|
||||
]
|
||||
},
|
||||
"uuid": "8364b00c-46c6-11e8-a78e-9bcc5609574f"
|
||||
}
|
||||
],
|
||||
"name": "Botnet",
|
||||
|
|
@ -551,5 +561,5 @@
|
|||
],
|
||||
"description": "botnet galaxy",
|
||||
"uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f",
|
||||
"version": 2
|
||||
"version": 3
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9626,12 +9626,41 @@
|
|||
"description": "The NMCRYPT Ransomware is a generic file encryption Trojan that was detected in the middle of April 2018. The NMCRYPT Ransomware is a file encoder Trojan that is designed to make data unreadable and convince users to pay a fee for unlocking content on the infected computers. The NMCRYPT Ransomware is nearly identical to hundreds of variants of the HiddenTear open-source ransomware and compromised users are unable to use the Shadow Volume snapshots made by Windows to recover. Unfortunately, the NMCRYPT Ransomware disables the native recovery features on Windows, and you need third-party applications to rebuild your data.",
|
||||
"value": "NMCRYPT Ransomware",
|
||||
"uuid": "bd71be69-fb8c-4b1f-9d96-993ab23d5f2b"
|
||||
},
|
||||
{
|
||||
"value": "Iron",
|
||||
"description": "It is currently unknown if Iron is indeed a new variant by the same creators of Maktub, or if it was simply inspired by the latter, by copying the design for the payment portal for example.\nWe know the Iron ransomware has mimicked at least three ransomware families:Maktub (payment portal design)\nDMA Locker (Iron Unlocker, decryption tool)\nSatan (exclusion list)",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://bartblaze.blogspot.lu/2018/04/maktub-ransomware-possibly-rebranded-as.html"
|
||||
],
|
||||
"ransomnotes": [
|
||||
"!HELP_YOUR_FILES.HTML",
|
||||
"We’re very sorry that all of your personal files have been encrypted :( But there are good news – they aren’t gone, you still have the opportunity to restore them! Statistically, the lifespan of a hard-drive is anywhere from 3 to 5 years. If you don’t make copies of important information, you could lose everything! Just imagine! In order to receive the program that will decrypt all of your files, you will need to pay a certain amount. But let’s start with something else…"
|
||||
]
|
||||
},
|
||||
"uuid": "ba64d47c-46cd-11e8-87df-ff6252b4ea76"
|
||||
},
|
||||
{
|
||||
"value": "Tron ransomware",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://twitter.com/malwrhunterteam/status/985152346773696512"
|
||||
],
|
||||
"extensions": [
|
||||
".tron"
|
||||
],
|
||||
"ransomnotes": [
|
||||
"https://pbs.twimg.com/media/DavxIr-W4AEq3Ny.jpg"
|
||||
]
|
||||
},
|
||||
"uuid": "94290f1c-46ff-11e8-b9c6-ef8852c58952"
|
||||
}
|
||||
],
|
||||
"source": "Various",
|
||||
"uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
|
||||
"name": "Ransomware",
|
||||
"version": 18,
|
||||
"version": 19,
|
||||
"type": "ransomware",
|
||||
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2534,6 +2534,16 @@
|
|||
]
|
||||
},
|
||||
"uuid": "20f2d3a4-3ee7-11e8-8e78-837fd23517e0"
|
||||
},
|
||||
{
|
||||
"value": "Orangeworm",
|
||||
"description": "Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia.\nFirst identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia"
|
||||
]
|
||||
},
|
||||
"uuid": "35d71626-4794-11e8-b74d-bbcbe48fee3c"
|
||||
}
|
||||
],
|
||||
"name": "Threat actor",
|
||||
|
|
@ -2548,5 +2558,5 @@
|
|||
],
|
||||
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
|
||||
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
|
||||
"version": 37
|
||||
"version": 38
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@
|
|||
],
|
||||
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
|
||||
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
|
||||
"version": 64,
|
||||
"version": 65,
|
||||
"values": [
|
||||
{
|
||||
"meta": {
|
||||
|
|
@ -4130,6 +4130,16 @@
|
|||
]
|
||||
},
|
||||
"uuid": "a4036a28-3d94-11e8-ad9f-97ada3c6d5fb"
|
||||
},
|
||||
{
|
||||
"value": "Kwampirs",
|
||||
"description": "Once Orangeworm has infiltrated a victim’s network, they deploy Trojan.Kwampirs, a backdoor Trojan that provides the attackers with remote access to the compromised computer. When executed, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia"
|
||||
]
|
||||
},
|
||||
"uuid": "d1e548b8-4793-11e8-8dea-6beff82cac0a"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue