Merge pull request #210 from Delta-Sierra/master

update/add some clusters
2018-05-15 14:15:31 +02:00 · 2018-05-15 14:15:31 +02:00 · be619988a7
parent 6c80c0923a 3d5c697761
commit be619988a7
4 changed files with 89 additions and 8 deletions
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@ -566,6 +566,16 @@
        ]
      },
      "uuid": "cdf1148c-5358-11e8-87e5-ab60d455597f"
+    },
+    {
+      "value": "Mettle",
+      "description": "Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.",
+      "meta": {
+        "refs": [
+          "https://thehackernews.com/2018/05/botnet-malware-hacking.html"
+        ]
+      },
+      "uuid": "77a308b6-575d-11e8-89a9-3f6a2a9c08bb"
    }
  ],
  "name": "Botnet",
@ -576,5 +586,5 @@
  ],
  "description": "botnet galaxy",
  "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f",
-  "version": 4
+  "version": 5
 }
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@ -9071,7 +9071,8 @@
      "description": "The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user's desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt\n In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.",
      "meta": {
        "refs": [
-          "https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/"
+          "https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/",
+          "https://www.bleepingcomputer.com/news/security/synack-ransomware-uses-process-doppelg-nging-technique/"
        ],
        "synonyms": [
          "Syn Ack"
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -1167,7 +1167,11 @@
          "Unit 121",
          "Bureau 121",
          "NewRomanic Cyber Army Team",
-          "Bluenoroff"
+          "Bluenoroff",
+          "Group 77",
+          "Labyrinth Chollima",
+          "Operation Troy",
+          "Operation GhostSecret"
        ],
        "refs": [
          "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/",
@ -1176,7 +1180,8 @@
          "http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf",
          "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity",
          "https://www.us-cert.gov/ncas/alerts/TA17-318A",
-          "https://www.us-cert.gov/ncas/alerts/TA17-318B"
+          "https://www.us-cert.gov/ncas/alerts/TA17-318B",
+          "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/"
        ]
      },
      "value": "Lazarus Group",
@ -2689,5 +2694,5 @@
  ],
  "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
  "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 39
+  "version": 40
 }
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -11,7 +11,7 @@
  ],
  "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
  "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
-  "version": 68,
+  "version": 70,
  "values": [
    {
      "meta": {
@ -1541,7 +1541,8 @@
    {
      "meta": {
        "refs": [
-          "https://en.wikipedia.org/wiki/Necurs_botnet"
+          "https://en.wikipedia.org/wiki/Necurs_botnet",
+          "https://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/"
        ]
      },
      "description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.",
@ -3467,7 +3468,8 @@
      "meta": {
        "refs": [
          "https://www.bleepingcomputer.com/news/security/quant-loader-is-now-bundled-with-other-crappy-malware/",
-          "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground"
+          "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground",
+          "https://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/"
        ]
      },
      "uuid": "2d1aadfb-03c1-4580-b6ac-f12c6941067d"
@ -4172,6 +4174,69 @@
        ]
      },
      "uuid": "d83ec444-535c-11e8-ae83-831d0a85d77a"
+    },
+    {
+      "value": "Huigezi malware",
+      "description": "backdoor trojan popular found prevalently in China",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/gaming/chinese-police-arrest-15-people-who-hid-malware-inside-pubg-cheat-apps/"
+        ]
+      },
+      "uuid": "6aef5a32-5381-11e8-ac5a-bb46d8986552"
+    },
+    {
+      "value": "FacexWorm",
+      "description": "Facebook, Chrome, and cryptocurrency users should be on the lookout for a new malware strain named FacexWorm that infects victims for the purpose of stealing passwords, stealing cryptocurrency funds, running cryptojacking scripts, and spamming Facebook users. This new strain was spotted in late April by Trend Micro researchers and appears to be related to two other Facebook Messenger spam campaigns, one that took place last August, and another one from December 2017, the latter spreading the Digmine malware. Researchers say FacexWorm's modus operandi is similar to the previous two campaigns, but with the addition of new techniques aimed at cryptocurrency users.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/facexworm-spreads-via-facebook-messenger-malicious-chrome-extension/"
+        ]
+      },
+      "uuid": "86ac8c80-5382-11e8-b893-4f1651951472"
+    },
+    {
+      "value": "Bankshot",
+      "description": "implant used in Operation GhostSecret",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/"
+        ]
+      },
+      "uuid": "d9431c02-5391-11e8-931f-4beceb8bd697"
+    },
+    {
+      "value": "Proxysvc",
+      "description": "downloader used in Operation GhostSecret",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/"
+        ]
+      },
+      "uuid": "dafba168-5391-11e8-87e4-0f93b75d6ac0"
+    },
+    {
+      "value": "Escad",
+      "description": "backdoor used in Operation GhostSecret",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/"
+        ]
+      },
+      "uuid": "db36cf9a-5391-11e8-b53a-97adedf48055"
+    },
+    {
+      "value": "StalinLocker",
+      "description": "A new in-development screenlocker/wiper called StalinLocker, or StalinScreamer, was discovered by MalwareHunterTeam that gives you 10 minutes to enter a code or it will try to delete the contents of the drives on the computer. While running, it will display screen that shows Stalin while playing the USSR anthem and displaying a countdown until files are deleted.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/"
+        ],
+        "synonyms": [
+          "StalinScreamer"
+        ]
+      },
+      "uuid": "50eb8c54-5828-11e8-8d6b-232bb9329fc0"
    }
  ]
 }