MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Fix validation, remove duplicate.

pull/33/head
Raphaël Vinot 2017-02-13 18:52:54 +01:00
parent 47ac01ee96
commit 910398fe76
8 changed files with 483 additions and 451 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

472
clusters/exploit-kit.json
View File

@ -1,453 +1,447 @@
{
"values": [
{ "value": "Astrum",
"values": [
{
"value": "Astrum",
"description": "Astrum Exploit Kit is a private Exploit Kit used in massive scale malvertising campaigns. It's notable by its use of Steganography",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2014/09/astrum-ek.html",
"http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/"
],
"synonyms": [
"synonyms": [
"Stegano EK"
],
"status": "Unknown - Last Seen 2016-12-07"
}
}
,
{ "value": "DealersChoice",
"status": "Unknown - Last Seen 2016-12-07"
}
},
{
"value": "DealersChoice",
"description": "DealersChoice is a Flash Player Exploit platform triggered by RTF",
"meta": {
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/"
],
"synonyms": [
"synonyms": [
"Sednit RTF EK"
],
"status": "Active"
}
}
,
{ "value": "DNSChanger",
"status": "Active"
}
},
{
"value": "DNSChanger",
"description": "DNSChanger Exploit Kit is an exploit kit targeting Routers via the browser",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html",
"https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices"
],
"synonyms": [
"synonyms": [
"RouterEK"
],
"status": "Active"
}
}
,
{ "value": "Empire",
"status": "Active"
}
},
{
"value": "Empire",
"description": "The Empire Pack is a variation of RIG operated by a load seller. It's being fed by many traffic actors",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html"
],
"synonyms": [
"synonyms": [
"RIG-E"
]
,
"status": "Unknown - Last seen: 2016-12-29"
}
}
,
{ "value": "Hunter",
],
"status": "Unknown - Last seen: 2016-12-29"
}
},
{
"value": "Hunter",
"description": "Hunter EK is an evolution of 3Ros EK",
"meta": {
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/Hunter-Exploit-Kit-Targets-Brazilian-Banking-Customers"
],
"synonyms": [
"synonyms": [
"3ROS Exploit Kit"
]
,
"status": "Active"
}
}
,
{ "value": "Kaixin",
],
"status": "Active"
}
},
{
"value": "Kaixin",
"description": "Kaixin is an exploit kit mainly seen behind compromised website in Asia",
"meta": {
"refs": [
"http://www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/",
"http://www.kahusecurity.com/2012/new-chinese-exploit-pack/"
],
"synonyms": [
"synonyms": [
"CK vip"
] ,
"status": "Active"
}
}
,
{ "value": "Magnitude",
],
"status": "Active"
}
},
{
"value": "Magnitude",
"description": "Magnitude EK",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/10/Magnitude.html",
"http://malware.dontneedcoffee.com/2013/10/Magnitude.html",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Peek-Into-the-Lion-s-Den-%E2%80%93-The-Magnitude--aka-PopAds--Exploit-Kit/",
"http://malware.dontneedcoffee.com/2014/02/and-real-name-of-magnitude-is.html"
],
"synonyms": [
"synonyms": [
"Popads EK",
"TopExp"
],
"status": "Active"
}
}
,
{ "value": "MWI",
"status": "Active"
}
},
{
"value": "MWI",
"description": "Microsoft Word Intruder is an exploit kit focused on Word and embedded flash exploits. The author wants to avoid their customer to use it in mass spam campaign, so it's most often connected to semi-targeted attacks",
"meta": {
"refs": [
"https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html",
"https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf"
],
"status": "Active"
}
}
,
{ "value": "Neutrino",
"status": "Active"
}
},
{
"value": "Neutrino",
"description": "Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html",
"http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html"
],
"synonyms": [
"synonyms": [
"Job314",
"Neutrino Rebooted",
"Neutrino-v"
]
,
"status": "Active"
}
}
,
{ "value": "RIG",
],
"status": "Active"
}
},
{
"value": "RIG",
"description": "RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by \"vip\" customers and when RIG 3 was still in use.",
"meta": {
"refs": [
"http://www.kahusecurity.com/2014/rig-exploit-pack/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Reloaded---Examining-the-Architecture-of-RIG-Exploit-Kit-3-0/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/",
"http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html"
"https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/",
"http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html"
],
"synonyms": [
"synonyms": [
"RIG 3",
"RIG-v",
"RIG 4",
"Meadgive"
"RIG-v",
"RIG 4",
"Meadgive"
],
"status": "Active"
}
}
,
{ "value": "Sednit EK",
"status": "Active"
}
},
{
"value": "Sednit EK",
"description": "Sednit EK is the exploit kit used by APT28",
"meta": {
"refs": [
"http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/"
],
"status": "Active"
}
}
,
{ "value": "Bizarro Sundown",
"status": "Active"
}
},
{
"value": "Bizarro Sundown",
"description": "Bizarro Sundown appears to be a fork of Sundown with added anti-analysis features",
"meta": {
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/",
"https://blog.malwarebytes.com/cybercrime/exploits/2016/10/yet-another-sundown-ek-variant/"
],
"synonyms": [
"synonyms": [
"Sundown-b"
],
"status": "Active"
}
}
,
{ "value": "GreenFlash Sundown",
"status": "Active"
}
},
{
"value": "GreenFlash Sundown",
"description": "GreenFlash Sundown is a variation of Bizarro Sundown without landing",
"meta": {
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/"
],
"synonyms": [
"synonyms": [
"Sundown-GF"
],
"status": "Active"
}
}
,
{ "value": "Sundown",
"status": "Active"
}
},
{
"value": "Sundown",
"description": "Sundown Exploit Kit is mainly built out of stolen code from other exploit kits",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html",
"https://www.virusbulletin.com/virusbulletin/2015/06/beta-exploit-pack-one-more-piece-crimeware-infection-road"
],
"synonyms": [
"synonyms": [
"Beps",
"Xer",
"Beta"
],
"status": "Active",
"colour": "#C03701"
}
}
,
{ "value": "Angler",
"status": "Active",
"colour": "#C03701"
}
},
{
"value": "Angler",
"description": "The Angler Exploit Kit has been the most popular and evolved exploit kit from 2014 to middle of 2016. There was several variation. The historical \"indexm\" variant was used to spread Lurk. A vip version used notabily to spread Poweliks, the \"standard\" commercial version, and a declinaison tied to load selling (mostly bankers) that can be associated to EmpirePPC",
"meta": {
"refs": [
"https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/",
"http://malware.dontneedcoffee.com/2015/12/xxx-is-angler-ek.html",
"http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html"
"http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html"
],
"synonyms": [
"synonyms": [
"XXX",
"AEK",
"Axpergle"
],
"status": "Retired - Last seen: 2016-06-07"
}
}
,
{ "value": "Archie",
"status": "Retired - Last seen: 2016-06-07"
}
},
{
"value": "Archie",
"description": "Archie EK",
"meta": {
"refs": [
"https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit"
],
"status": "Retired"
}
}
,
{ "value": "BlackHole",
"status": "Retired"
}
},
{
"value": "BlackHole",
"description": "The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch's arrest (all activity since then is anecdotal and based on an old leak)",
"meta": {
"refs": [
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Blackhole-Exploit-Kit-v2/",
"https://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/"
],
"synonyms": [
"synonyms": [
"BHEK"
],
"status": "Retired - Last seen: 2013-10-07"
}
}
,
{ "value": "Bleeding Life",
"status": "Retired - Last seen: 2013-10-07"
}
},
{
"value": "Bleeding Life",
"description": "Bleeding Life is an exploit kit that became open source with its version 2",
"meta": {
"refs": [
"http://www.kahusecurity.com/2011/flash-used-in-idol-malvertisement/",
"http://thehackernews.com/2011/10/bleeding-life-2-exploit-pack-released.html"
],
"synonyms": [
"synonyms": [
"BL",
"BL2"
]
,
"status": "Retired"
}
}
,
{ "value": "Cool",
],
"status": "Retired"
}
},
{
"value": "Cool",
"description": "The Cool Exploit Kit was a kind of BlackHole VIP in 2012/2013",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2012/10/newcoolek.html",
"http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html",
"http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pack-how-it-works/"
"http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pack-how-it-works/"
],
"synonyms": [
"synonyms": [
"CEK",
"Styxy Cool"
"Styxy Cool"
],
"status": "Retired - Last seen: 2013-10-07"
}
}
,
{ "value": "Fiesta",
"status": "Retired - Last seen: 2013-10-07"
}
},
{
"value": "Fiesta",
"description": "Fiesta Exploit Kit",
"meta": {
"refs": [
"http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an",
"http://www.kahusecurity.com/2011/neosploit-is-back/"
],
"synonyms": [
"synonyms": [
"NeoSploit",
"Fiexp"
]
,
"status": "Retired - Last Seen: beginning of 2015-07"
}
}
,
{ "value": "FlashPack",
],
"status": "Retired - Last Seen: beginning of 2015-07"
}
},
{
"value": "FlashPack",
"description": "FlashPack EK got multiple fork. The most common variant seen was the standalone Flash version",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html",
"http://malware.dontneedcoffee.com/2013/04/meet-safe-pack-v20-again.html"
],
"synonyms": [
"synonyms": [
"FlashEK",
"SafePack",
"CritXPack",
"Vintage Pack"
]
,
"status": "Retired - Last seen: middle of 2015-04"
}
}
,
{ "value": "GrandSoft",
],
"status": "Retired - Last seen: middle of 2015-04"
}
},
{
"value": "GrandSoft",
"description": "GrandSoft Exploit Kit was a quite common exploit kit used in 2012/2013",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html",
"http://malware.dontneedcoffee.com/2012/10/neosploit-now-showing-bh-ek-20-like.html",
"https://nakedsecurity.sophos.com/2012/08/24/sophos-sucks-malware/"
"https://nakedsecurity.sophos.com/2012/08/24/sophos-sucks-malware/"
],
"synonyms": [
"synonyms": [
"StampEK",
"SofosFO"
] ,
"status": "Retired - Last seen: 2014-03"
}
}
,
{ "value": "HanJuan",
],
"status": "Retired - Last seen: 2014-03"
}
},
{
"value": "HanJuan",
"description": "Hanjuan EK was a one actor fed variation of Angler EK used in evolved malvertising chain targeting USA. It has been using a 0day (CVE-2015-0313) from beginning of December 2014 till beginning of February 2015",
"meta": {
"refs": [
"http://www.malwaresigs.com/2013/10/14/unknown-ek/",
"https://blog.malwarebytes.com/threat-analysis/2014/08/shining-some-light-on-the-unknown-exploit-kit/",
"http://www.malwaresigs.com/2013/10/14/unknown-ek/",
"https://blog.malwarebytes.com/threat-analysis/2014/08/shining-some-light-on-the-unknown-exploit-kit/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-exploit-kit-in-cve-2015-0313-attack",
"https://twitter.com/kafeine/status/562575744501428226"
],
"status": "Retired - Last seen: 2015-07"
}
}
,
{ "value": "Himan",
"status": "Retired - Last seen: 2015-07"
}
},
{
"value": "Himan",
"description": "Himan Exploit Kit",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/10/HiMan.html"
],
"synonyms": [
"synonyms": [
"High Load"
],
"status": "Retired - Last seen: 2014-04"
}
}
,
{ "value": "Impact",
"status": "Retired - Last seen: 2014-04"
}
},
{
"value": "Impact",
"description": "Impact EK",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html"
]
,
"status": "Retired"
}
}
,
{ "value": "Infinity",
],
"status": "Retired"
}
},
{
"value": "Infinity",
"description": "Infinity is an evolution of Redkit",
"meta": {
"refs": [
"http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html",
"http://www.kahusecurity.com/2014/the-resurrection-of-redkit/"
"http://www.kahusecurity.com/2014/the-resurrection-of-redkit/"
],
"synonyms": [
"synonyms": [
"Redkit v2.0",
"Goon"
],
"status": "Retired - Last seen: 2014-07"
}
}
,
{ "value": "Lightsout",
"status": "Retired - Last seen: 2014-07"
}
},
{
"value": "Lightsout",
"description": "Lightsout Exploit Kit has been used in Watering Hole attack performed by the APT Group havex",
"meta": {
"refs": [
"http://blog.talosintel.com/2014/03/hello-new-exploit-kit.html",
"http://blog.talosintel.com/2014/05/continued-analysis-of-lightsout-exploit.html",
"http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html"
"http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html"
],
"status": "Unknown - Last seen: 2014-03"
}
}
,
{ "value": "Niteris",
"status": "Unknown - Last seen: 2014-03"
}
},
{
"value": "Niteris",
"description": "Niteris was used mainly to target Russian.",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2014/06/cottoncastle.html",
"http://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html"
],
"synonyms": [
"synonyms": [
"CottonCastle"
],
"status": "Unknown - Last seen: 2015-11"
}
}
,
{ "value": "Nuclear",
"status": "Unknown - Last seen: 2015-11"
}
},
{
"value": "Nuclear",
"description": "The Nuclear Pack appeared in 2009 and has been one of the longer living one. Spartan EK was a landing less variation of Nuclear Pack",
"meta": {
"refs": [
"http://blog.checkpoint.com/2016/05/17/inside-nuclears-core-unraveling-a-ransomware-as-a-service-infrastructure/"
],
"synonyms": [
"synonyms": [
"NEK",
"Nuclear Pack",
"Spartan",
"Neclu"
] ,
"status": "Retired - Last seen: 2015-04-30"
}
}
,
{ "value": "Phoenix",
"Spartan",
"Neclu"
],
"status": "Retired - Last seen: 2015-04-30"
}
},
{
"value": "Phoenix",
"description": "Phoenix Exploit Kit",
"meta": {
"refs": [
"http://malwareint.blogspot.fr/2010/09/phoenix-exploits-kit-v21-inside.html",
"http://blog.trendmicro.com/trendlabs-security-intelligence/now-exploiting-phoenix-exploit-kit-version-2-5/"
],
"synonyms": [
"synonyms": [
"PEK"
],
"status": "Retired"
}
}
,
{ "value": "Private Exploit Pack",
"status": "Retired"
}
},
{
"value": "Private Exploit Pack",
"description": "Private Exploit Pack",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/07/pep-new-bep.html",
"http://malwageddon.blogspot.fr/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html"
],
"synonyms": [
"synonyms": [
"PEP"
],
"status": "Retired"
}
}
,
{ "value": "Redkit",
"status": "Retired"
}
},
{
"value": "Redkit",
"description": "Redkit has been a major exploit kit in 2012. One of its specific features was to allow its access against a share of a percentage of the customer's traffic",
"meta": {
"refs": [
@ -455,35 +449,35 @@
"http://malware.dontneedcoffee.com/2012/05/inside-redkit.html",
"https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/"
],
"status": "Retired"
}
}
,
{ "value": "Sakura",
"status": "Retired"
}
},
{
"value": "Sakura",
"description": "Description Here",
"meta": {
"refs": [
"http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html"
],
"status": "Retired - Last seen: 2013-09"
}
}
,
{ "value": "Sweet-Orange",
"status": "Retired - Last seen: 2013-09"
}
},
{
"value": "Sweet-Orange",
"description": "Sweet Orange",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html"
],
"synonyms": [
"synonyms": [
"SWO",
"Anogre"
],
"status": "Retired - Last seen: 2015-04-05"
}
}
,
{ "value": "Styx",
"status": "Retired - Last seen: 2015-04-05"
}
},
{
"value": "Styx",
"description": "Styx Exploit Kit",
"meta": {
"refs": [
@ -491,11 +485,11 @@
"https://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto/",
"http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html"
],
"status":"Retired - Last seen: 2014-06"
}
}
,
{ "value": "Unknown",
"status": "Retired - Last seen: 2014-06"
}
},
{
"value": "Unknown",
"description": "Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give the associated EK a deep look.",
"meta": {
"refs": [
@ -503,9 +497,9 @@
"https://twitter.com/node5",
"https://twitter.com/kahusecurity"
]
}
}
}
],
],
"version": 3,
"uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01",
"description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years",

38
clusters/microsoft-activity-group.json
View File

@ -4,21 +4,27 @@
"value": "PROMETHIUM",
"description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.",
"meta": {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"]
}
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
}
},
{
"value": "NEODYMIUM",
"description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoors characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.",
"meta": {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"]
}
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
}
},
{
"value": "TERBIUM",
"description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.",
"meta" : {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"]
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"
]
}
},
{
@ -36,12 +42,12 @@
"Group-4127",
"Sofacy",
"Grey-Cloud"
],
],
"country": "RU",
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/",
"http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf",
"https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/"
"https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/"
]
}
},
@ -74,14 +80,19 @@
"value": "BARIUM",
"description": "Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.",
"meta": {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"]
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
]
}
},
{
"value": "LEAD",
"description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEADs victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEADs objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEADs attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.",
"meta": {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"] }
"value": "LEAD",
"description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEADs victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEADs objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEADs attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
]
}
}
],
"name": "Microsoft Activity Group actor",
@ -94,4 +105,3 @@
"uuid": "28b5e55d-acba-4748-a79d-0afa3512689a",
"version": 2
}

66
clusters/preventive-measure.json
View File

@ -6,8 +6,8 @@
"http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7."
],
"Complexity": "Medium",
"Effectiveness": "High",
"Impact": "Low",
"Effectiveness": "High",
"Impact": "Low",
"Type": "Recovery"
},
"value": "Backup and Restore Process",
@ -20,8 +20,8 @@
"https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter"
],
"Complexity": "Low",
"Effectiveness": "High",
"Impact": "Low",
"Effectiveness": "High",
"Impact": "Low",
"Type": "GPO"
},
"value": "Block Macros",
@ -33,8 +33,8 @@
"http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html"
],
"Complexity": "Low",
"Effectiveness": "Medium",
"Impact": "Medium",
"Effectiveness": "Medium",
"Impact": "Medium",
"Type": "GPO"
},
"value": "Disable WSH",
@ -44,8 +44,8 @@
{
"meta": {
"Complexity": "Low",
"Effectiveness": "Medium",
"Impact": "Low",
"Effectiveness": "Medium",
"Impact": "Low",
"Type": "Mail Gateway"
},
"value": "Filter Attachments Level 1",
@ -54,8 +54,8 @@
{
"meta": {
"Complexity": "Low",
"Effectiveness": "High",
"Impact": "High",
"Effectiveness": "High",
"Impact": "High",
"Type": "Mail Gateway"
},
"value": "Filter Attachments Level 2",
@ -65,12 +65,12 @@
{
"meta": {
"refs": [
"http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/",
"http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/",
"http://www.thirdtier.net/ransomware-prevention-kit/"
],
"Complexity": "Medium",
"Effectiveness": "Medium",
"Impact": "Medium",
"Effectiveness": "Medium",
"Impact": "Medium",
"Type": "GPO"
},
"value": "Restrict program execution",
@ -83,8 +83,8 @@
"http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm"
],
"Complexity": "Low",
"Effectiveness": "Low",
"Impact": "Low",
"Effectiveness": "Low",
"Impact": "Low",
"Type": "User Assistence"
},
"value": "Show File Extensions",
@ -96,8 +96,8 @@
"https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx"
],
"Complexity": "Low",
"Effectiveness": "Medium",
"Impact": "Low",
"Effectiveness": "Medium",
"Impact": "Low",
"Type": "GPO"
},
"value": "Enforce UAC Prompt",
@ -107,8 +107,8 @@
{
"meta": {
"Complexity": "Medium",
"Effectiveness": "Medium",
"Impact": "Medium",
"Effectiveness": "Medium",
"Impact": "Medium",
"Type": "Best Practice"
},
"value": "Remove Admin Privileges",
@ -118,8 +118,8 @@
{
"meta": {
"Complexity": "Medium",
"Effectiveness": "Low",
"Impact": "Low",
"Effectiveness": "Low",
"Impact": "Low",
"Type": "Best Practice"
},
"value": "Restrict Workstation Communication",
@ -128,7 +128,7 @@
{
"meta": {
"Complexity": "Medium",
"Effectiveness": "High",
"Effectiveness": "High",
"Type": "Advanced Malware Protection"
},
"value": "Sandboxing Email Input",
@ -137,7 +137,7 @@
{
"meta": {
"Complexity": "Medium",
"Effectiveness": "Medium",
"Effectiveness": "Medium",
"Type": "3rd Party Tools"
},
"value": "Execution Prevention",
@ -149,8 +149,8 @@
"https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/"
],
"Complexity": "Low",
"Effectiveness": "Medium",
"Impact": "Medium",
"Effectiveness": "Medium",
"Impact": "Medium",
"Type": "GPO"
},
"value": "Change Default \"Open With\" to Notepad",
@ -163,8 +163,8 @@
"http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm"
],
"Complexity": "Low",
"Effectiveness": "Medium",
"Impact": "Low",
"Effectiveness": "Medium",
"Impact": "Low",
"Type": "Monitoring"
},
"value": "File Screening",
@ -177,8 +177,8 @@
"http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx"
],
"Complexity": "Medium",
"Effectiveness": "Medium",
"Impact": "Medium",
"Effectiveness": "Medium",
"Impact": "Medium",
"Type": "GPO"
},
"value": "Restrict program execution #2",
@ -192,8 +192,8 @@
"http://windowsitpro.com/security/control-emet-group-policy"
],
"Complexity": "Medium",
"Effectiveness": "Medium",
"Impact": "Low",
"Effectiveness": "Medium",
"Impact": "Low",
"Type": "GPO"
},
"value": "EMET",
@ -205,8 +205,8 @@
"https://twitter.com/JohnLaTwC/status/799792296883388416"
],
"Complexity": "Medium",
"Effectiveness": "Low",
"Impact": "Low",
"Effectiveness": "Low",
"Impact": "Low",
"Type": "3rd Party Tools"
},
"value": "Sysmon",

159
clusters/tds.json
View File

@ -1,79 +1,80 @@
{
"values": [
{ "value": "Keitaro",
"description": "Keitaro TDS is among the mostly used TDS in drive by infection chains",
"meta": {
"refs": [
"https://keitarotds.com/"
]
},
"type":"Commercial"
}
,
{ "value": "Sutra",
"description": "Sutra TDS was dominant from 2012 till 2015",
"meta": {
"refs": [
"http://kytoon.com/sutra-tds.html"
],
"type":"Commercial"
}
}
,
{ "value": "SimpleTDS",
"description": "SimpleTDS is a basic open source TDS",
"meta": {
"refs": [
"https://sourceforge.net/projects/simpletds/"
],
"synonyms": [
"Stds"
],
"type":"OpenSource"
}
}
,
{ "value": "BossTDS",
"description": "BossTDS",
"meta": {
"refs": [
"http://bosstds.com/"
],
"type":"Commercial"
}
}
,
{ "value": "BlackHat TDS",
"description": "BlackHat TDS is sold underground.",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html"
],
"type":"Underground"
}
}
,
{ "value": "Futuristic TDS",
"description": "Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer",
"meta": {
"type":"Underground"
}
}
,
{ "value": "Orchid TDS",
"description": "Orchid TDS was sold underground. Rare usage",
"meta": {
"type":"Underground"
}
}
],
"version": 1,
"uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01",
"description": "TDS is a list of Traffic Direction System used by adversaries",
"authors": [
"Kafeine"
],
"source": "MISP Project",
"type": "tds",
"name": "TDS"
}
{
"values": [
{
"value": "Keitaro",
"description": "Keitaro TDS is among the mostly used TDS in drive by infection chains",
"meta": {
"refs": [
"https://keitarotds.com/"
]
},
"type": "Commercial"
},
{
"value": "Sutra",
"description": "Sutra TDS was dominant from 2012 till 2015",
"meta": {
"refs": [
"http://kytoon.com/sutra-tds.html"
],
"type": "Commercial"
}
},
{
"value": "SimpleTDS",
"description": "SimpleTDS is a basic open source TDS",
"meta": {
"refs": [
"https://sourceforge.net/projects/simpletds/"
],
"synonyms": [
"Stds"
],
"type": "OpenSource"
}
},
{
"value": "BossTDS",
"description": "BossTDS",
"meta": {
"refs": [
"http://bosstds.com/"
],
"type": "Commercial"
}
},
{
"value": "BlackHat TDS",
"description": "BlackHat TDS is sold underground.",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html"
],
"type": "Underground"
}
},
{
"value": "Futuristic TDS",
"description": "Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer",
"meta": {
"type": "Underground"
}
},
{
"value": "Orchid TDS",
"description": "Orchid TDS was sold underground. Rare usage",
"meta": {
"type": "Underground"
}
}
],
"version": 1,
"uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01",
"description": "TDS is a list of Traffic Direction System used by adversaries",
"authors": [
"Kafeine"
],
"source": "MISP Project",
"type": "tds",
"name": "TDS"
}

46
clusters/threat-actor.json
View File

@ -435,7 +435,7 @@
"Motive": "Espionage"
},
"value": "Anchor Panda",
"Description": "PLA Navy"
"description": "PLA Navy"
},
{
"meta": {
@ -990,24 +990,28 @@
"description": "Group targeting Indian Army or related assets in India. Attribution to a Pakistani connection has been made by TrendMicro."
},
{
"refs": [
"https://citizenlab.org/2016/05/stealth-falcon/"
],
"country": "UAE",
"meta": {
"refs": [
"https://citizenlab.org/2016/05/stealth-falcon/"
],
"synonyms": [
"FruityArmor"
],
"country": "UAE"
},
"value": "Stealth Falcon",
"description": "Group targeting Emirati journalists, activists, and dissidents.",
"synonyms": [
"FruityArmor"
]
"description": "Group targeting Emirati journalists, activists, and dissidents."
},
{
"synonyms": [
"Operation Daybreak",
"Operation Erebus"
],
"refs": [
"https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/"
],
"meta": {
"synonyms": [
"Operation Daybreak",
"Operation Erebus"
],
"refs": [
"https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/"
]
},
"value": "ScarCruft",
"description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer."
},
@ -1356,14 +1360,18 @@
"description": "The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame",
"meta": {
"country": "US",
"refs": ["https://en.wikipedia.org/wiki/Equation_Group"]
"refs": [
"https://en.wikipedia.org/wiki/Equation_Group"
]
}
},
{
"value": "Greenbug",
"description": "Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.",
"meta": {
"refs": ["https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon"]
"refs": [
"https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon"
]
}
}
],
@ -1379,5 +1387,5 @@
],
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
"version": 13
"version": 14
}

149
clusters/tool.json
View File

@ -48,23 +48,13 @@
"value": "ZeGhost"
},
{
"value": "Backdoor.Dripion",
"description": "Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.",
"value": "Elise Backdoor",
"meta": {
"refs": [
"http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan"
],
"synonyms": [
"Dripion"
"Elise"
]
}
},
{
"value": "Elise Backdoor",
"synonyms": [
"Elise"
]
},
{
"value": "Trojan.Laziok",
"meta": {
@ -104,7 +94,7 @@
},
{
"value": "Lost Door RAT",
"descriptions": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.",
"description": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.",
"meta": {
"synonyms": [
"LostDoor RAT"
@ -210,8 +200,13 @@
"value": "Wipbot",
"description": "Waterbug is the name given to the actors who use the malware tools Trojan.Wipbot (also known as Tavdig and Epic Turla)",
"meta": {
"synonyms": ["Tavdig", "Epic Turla"],
"refs": ["https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf"]
"synonyms": [
"Tavdig",
"Epic Turla"
],
"refs": [
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf"
]
}
},
{
@ -440,9 +435,14 @@
"value": "Regin",
"description": "Regin (also known as Prax or WarriorPride) is a sophisticated malware toolkit revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download including malware discovered at Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but that some of the earliest samples date from 2003. The name Regin is first found on the VirusTotal website on 9 March 2011.",
"meta": {
"refs": ["https://en.wikipedia.org/wiki/Regin_(malware)"],
"synonyms": ["Prax","WarriorPride"]
}
"refs": [
"https://en.wikipedia.org/wiki/Regin_(malware)"
],
"synonyms": [
"Prax",
"WarriorPride"
]
}
},
{
"value": "Duqu"
@ -925,9 +925,11 @@
{
"value": "Odinaff",
"description": "Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.",
"refs": [
"https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks"
]
"meta": {
"refs": [
"https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks"
]
}
},
{
"value": "Hworm",
@ -1167,13 +1169,13 @@
},
{
"value": "DownRage",
"synonyms": [
"Carberplike"
],
"meta": {
"refs": [
"https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/",
"https://twitter.com/Timo_Steffens/status/814781584536719360"
],
"synonyms": [
"Carberplike"
]
}
},
@ -1247,61 +1249,78 @@
"value": "MM Core"
},
{
"meta": {
"refs": ["https://en.wikipedia.org/wiki/Shamoon"]
},
"description": "Shamoon,[a] also known as Disttrack, is a modular computer virus discovered by Seculert[1] in 2012, targeting recent NT kernel-based versions of Microsoft Windows. The virus has been used for cyber espionage in the energy sector.[2][3][4] Its discovery was announced on 16 August 2012 by Symantec,[3] Kaspersky Lab,[5] and Seculert.[6] Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and the Flame malware.[5][6]",
"value": "Shamoon"
},
{
"value": "GhostAdmin",
"description": "According to MalwareHunterTeam and other researchers that have looked at the malware's source code, GhostAdmin seems to be a reworked version of CrimeScene, another botnet malware family that was active around 3-4 years ago.",
"meta": {
"refs": ["https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/"]
}
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Shamoon"
]
},
"description": "Shamoon,[a] also known as Disttrack, is a modular computer virus discovered by Seculert[1] in 2012, targeting recent NT kernel-based versions of Microsoft Windows. The virus has been used for cyber espionage in the energy sector.[2][3][4] Its discovery was announced on 16 August 2012 by Symantec,[3] Kaspersky Lab,[5] and Seculert.[6] Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and the Flame malware.[5][6]",
"value": "Shamoon"
},
{
"value": " EyePyramid Malware",
"description": "Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called “EyePyramid”, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)",
"meta": {
"refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/"],
"country": "IT"
}
"value": "GhostAdmin",
"description": "According to MalwareHunterTeam and other researchers that have looked at the malware's source code, GhostAdmin seems to be a reworked version of CrimeScene, another botnet malware family that was active around 3-4 years ago.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/"
]
}
},
{
"value": "LuminosityLink",
"description": "LuminosityLink is a malware family costing $40 that purports to be a system administration utility",
"meta": {
"refs": ["http://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/"]
}
"value": " EyePyramid Malware",
"description": "Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called “EyePyramid”, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)",
"meta": {
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/"
],
"country": "IT"
}
},
{
"value": "Flokibot",
"description": "Floki Bot, described recently by Dr. Peter Stephenson from SC Magazine, is yet another bot based on the leaked Zeus code. However, the author came up with various custom modifications that makes it more interesting.",
"meta": {
"refs": ["https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/"],
"synonyms": ["Floki Bot"]
}
"value": "LuminosityLink",
"description": "LuminosityLink is a malware family costing $40 that purports to be a system administration utility",
"meta": {
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/"
]
}
},
{
"value": "ZeroT",
"description": "Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus. Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.",
"meta": {
"refs": ["https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"]
}
"value": "Flokibot",
"description": "Floki Bot, described recently by Dr. Peter Stephenson from SC Magazine, is yet another bot based on the leaked Zeus code. However, the author came up with various custom modifications that makes it more interesting.",
"meta": {
"refs": [
"https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/",
"https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/"
],
"synonyms": [
"Floki Bot"
]
}
},
{
"value": "StreamEx",
"description": "Cylance dubbed this family of malware StreamEx, based upon a common exported function used across all samples stream, combined with the dropper functionality to append ex to the DLL file name. The StreamEx family has the ability to access and modify the users file system, modify the registry, create system services, enumerate process and system information, enumerate network resources and drive types, scan for security tools such as firewall products and antivirus products, change browser security settings, and remotely execute commands. The malware documented in this post was predominantly 64-bit, however, there are 32-bit versions of the malware in the wild. ",
"meta": {
"refs": ["https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar"]
}
"value": "ZeroT",
"description": "Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus. Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.",
"meta": {
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
]
}
},
{
"value": "StreamEx",
"description": "Cylance dubbed this family of malware StreamEx, based upon a common exported function used across all samples stream, combined with the dropper functionality to append ex to the DLL file name. The StreamEx family has the ability to access and modify the users file system, modify the registry, create system services, enumerate process and system information, enumerate network resources and drive types, scan for security tools such as firewall products and antivirus products, change browser security settings, and remotely execute commands. The malware documented in this post was predominantly 64-bit, however, there are 32-bit versions of the malware in the wild. ",
"meta": {
"refs": [
"https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar"
]
}
}
],
"version": 19,
"version": 21,
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"author": [
"authors": [
"Alexandre Dulaunoy",
"Florian Roth",
"Timo Steffens",

2
jq_all_the_things.sh
View File

@ -5,7 +5,7 @@ set -x
# Seeds sponge, from moreutils
for dir in galaxies/*.json
for dir in clusters/*.json
do
cat ${dir} | jq . | sponge ${dir}
done

2
validate_all.sh
View File

@ -12,7 +12,7 @@ if ! [ $diffs -eq 0 ]; then
exit 1
fi
for dir in galaxies/*.json
for dir in clusters/*.json
do
echo -n "${dir}: "
jsonschema -i ${dir} schema.json