diff --git a/clusters/tool.json b/clusters/tool.json index c59b455e..20e942b7 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1,167 +1,194 @@ { "values": [ - { - "value" : "PlugX", - "description" : "Malware", - "meta" : { - "refs" : [ - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx" - ], - "synonyms" : [ - "Backdoor.FSZO-5117", - "Trojan.Heur.JP.juW@ayZZvMb", - "Trojan.Inject1.6386", - "Korplug", - "Agent.dhwf" - ], - "type" : "rat" - } - }, - { - "value" : "MSUpdater", - "description" : " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", - "meta" : { - "refs" : [ - "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx" - ], - "type" : "rat" - } - }, - { - "value" : "Lazagne", - "description" : "A password sthealing tool regularly used by attackers", - "meta" : { - "refs" : [ - "https://github.com/AlessandroZ/LaZagne" - ], - "type" : "tool" - } - }, - { - "value" : "Poison Ivy", - "description" : "Poison Ivy is a RAT which was freely available and first released in 2005.", - "meta" : { - "refs" : [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", - "https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml" - ], - "synonyms" : [ - "Backdoor.Win32.PoisonIvy", - "Gen:Trojan.Heur.PT" - ], - "type" : "rat" - } - }, - { - "value" : "SPIVY", - "description" : "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.", - "meta" : { - "refs" : [ - "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" - ], - "type" :"rat" - } - }, - { - "value" : "Torn RAT", - "meta" : { - "refs" : [ - "https://www.crowdstrike.com/blog/whois-anchor-panda/" - ], - "synonyms" : [ - "Anchor Panda" - ], - "type": "rat" - } - }, - { - "value" : "OzoneRAT", - "meta" : { - "refs" : [ - "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat" - ], - "synonyms" : [ - "Ozone RAT", - "ozonercp" - ], - "type" : [ - "rat" - ] - } - }, - { - "value" : "ZeGhost", - "description" : "ZeGhots is a RAT which was freely available and first released in 2014.", - "meta" : { - "refs" : [ - "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3aWin32%2fZegost.BW" - ], - "synonyms" : [ - "BackDoor-FBZT!52D84425CDF2", - "Trojan.Win32.Staser.ytq", - "Win32/Zegost.BW" - ], - "type" : "rat" - } - }, - { - "value" : "Elise Backdoor", - "description" : " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", - "meta" : { - "refs" : [ - "http://thehackernews.com/2015/08/elise-malware-hacking.html" - ], - "synonyms" : [ - "Elise" - ], - "type" : "dropper, stealer" - } - }, - { - "value" : "Trojan.Laziok", - "description" : "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.", - "meta" : { - "refs" : [ - "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector" - ], - "synonyms" : [ - "Laziok" - ], - "type" : "stealer ,reco" - } - }, - { - "value" : "Slempo", - "description" : "Android-based malware", - "meta" : { - "refs" : [ - "https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/" - ], - "synonyms" : [ - "GM-Bot", - "SlemBunk", - "Bankosy", - "Acecard" - ], - "type" : "spyware, android" - } - }, - { + { + "value": "PlugX", + "description": "Malware", + "meta": { + "refs": [ + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx" + ], + "synonyms": [ + "Backdoor.FSZO-5117", + "Trojan.Heur.JP.juW@ayZZvMb", + "Trojan.Inject1.6386", + "Korplug", + "Agent.dhwf" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "MSUpdater", + "description": " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", + "meta": { + "refs": [ + "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "Lazagne", + "description": "A password sthealing tool regularly used by attackers", + "meta": { + "refs": [ + "https://github.com/AlessandroZ/LaZagne" + ], + "type": [ + "tool" + ] + } + }, + { + "value": "Poison Ivy", + "description": "Poison Ivy is a RAT which was freely available and first released in 2005.", + "meta": { + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", + "https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml" + ], + "synonyms": [ + "Backdoor.Win32.PoisonIvy", + "Gen:Trojan.Heur.PT" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "SPIVY", + "description": "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.", + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "Torn RAT", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/whois-anchor-panda/" + ], + "synonyms": [ + "Anchor Panda" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "OzoneRAT", + "meta": { + "refs": [ + "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat" + ], + "synonyms": [ + "Ozone RAT", + "ozonercp" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "ZeGhost", + "description": "ZeGhots is a RAT which was freely available and first released in 2014.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3aWin32%2fZegost.BW" + ], + "synonyms": [ + "BackDoor-FBZT!52D84425CDF2", + "Trojan.Win32.Staser.ytq", + "Win32/Zegost.BW" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "Elise Backdoor", + "description": " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", + "meta": { + "refs": [ + "http://thehackernews.com/2015/08/elise-malware-hacking.html" + ], + "synonyms": [ + "Elise" + ], + "type": [ + "dropper", + "stealer" + ] + } + }, + { + "value": "Trojan.Laziok", + "description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.", + "meta": { + "refs": [ + "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector" + ], + "synonyms": [ + "Laziok" + ], + "type": [ + "stealer", + "reco" + ] + } + }, + { + "value": "Slempo", + "description": "Android-based malware", + "meta": { + "refs": [ + "https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/" + ], + "synonyms": [ + "GM-Bot", + "SlemBunk", + "Bankosy", + "Acecard" + ], + "type": [ + "spyware", + "android" + ] + } + }, + { "value": "PWOBot", "description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.", "meta": { "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/" + "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/" ], - "synonyms" : [ - "PWOLauncher", - "PWOHTTPD", - "PWOKeyLogger", - "PWOMiner", - "PWOPyExec", - "PWOQuery" + "synonyms": [ + "PWOLauncher", + "PWOHTTPD", + "PWOKeyLogger", + "PWOMiner", + "PWOPyExec", + "PWOQuery" ], - "type" : "dropper, coinminer, spyware" + "type": [ + "dropper", + "miner", + "spyware" + ] } }, { @@ -175,7 +202,9 @@ "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/" ], - "type": "rat" + "type": [ + "rat" + ] } }, { @@ -188,7 +217,9 @@ "refs": [ "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf" ], - "type": "rat" + "type": [ + "rat" + ] } }, { @@ -198,7 +229,7 @@ "NanoCore", "Nancrat", "Zurten", - "Atros2.CKPN" + "Atros2.CKPN" ], "refs": [ "http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter", diff --git a/schema_clusters.json b/schema_clusters.json index 780bfe14..cf64f74c 100644 --- a/schema_clusters.json +++ b/schema_clusters.json @@ -74,7 +74,11 @@ "type": "string" }, "type": { - "type": "string" + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } }, "impact": { "type": "string"