MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

merge

pull/634/head
Delta-Sierra 2021-03-11 10:35:05 +01:00
parent 0e23d8b95f 855a12a408
commit c37befc8a9
6 changed files with 152 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
clusters/microsoft-activity-group.json
View File

@ -287,7 +287,17 @@
},
"uuid": "99e708f7-1c01-467d-b0da-f6cebd434abc",
"value": "GADOLINIUM"
},
{
"description": "HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once theyve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA. In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.",
"meta": {
"refs": [
"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
]
},
"uuid": "fbb66d6c-0faa-49cc-8aa3-2f9bd4e9c298",
"value": "HAFNIUM"
}
],
"version": 9
"version": 10
}

2
clusters/mitre-ics-tactics.json
View File

@ -271,7 +271,7 @@
]
},
"uuid": "2366ffb0-91ba-4b8e-bfad-d460c98d43a8",
"value": "Innitial Access"
"value": "Initial Access"
}
],
"version": 1

41
clusters/ransomware.json
View File

@ -13420,7 +13420,7 @@
"https://www.fortinet.com/blog/threat-research/analysis-of-new-globeimposter-ransomware-variant.html"
]
},
"uuid": "8cfa694c-2e6b-310a-728f-027d981870b2",
"uuid": "a4631cef-dc51-4bee-a51f-3f1ea75ff201",
"value": "GlobeImposter"
},
{
@ -13432,7 +13432,7 @@
"https://spyware-techie.com/blackworm-ransomware-removal-guide"
]
},
"uuid": "8cfa694a-2e5b-300a-727f-027d881870b2",
"uuid": "457e9a45-607e-41ef-8ad1-bf8684722445",
"value": "BlackWorm"
},
{
@ -13444,7 +13444,7 @@
"https://malware.wikia.org/wiki/Tellyouthepass"
]
},
"uuid": "7cfa694a-1e5b-300a-627f-027d881870b1",
"uuid": "c6ca9b44-d0cd-40c9-9d00-39e0f7bcae79",
"value": "Tellyouthepass"
},
{
@ -13455,7 +13455,7 @@
"https://www.2-spyware.com/remove-bigbobross-ransomware.html"
]
},
"uuid": "8cfa684a-1e4b-309a-617f-026d881870b1",
"uuid": "5d3fc33b-8e90-4d9d-8f45-f047264ce8cb",
"value": "BigBobRoss"
},
{
@ -13466,7 +13466,7 @@
"https://www.pcrisk.com/removal-guides/12121-planetary-ransomware"
]
},
"uuid": "6cfa664a-1e2b-329a-607f-026d781870b1",
"uuid": "7c742031-6b3d-4c3a-8b36-9154a6dc7b30",
"value": "Planetary"
},
{
@ -13483,7 +13483,7 @@
"Cripttor"
]
},
"uuid": "8cfa554a-1e1b-328a-606f-026d771870b1",
"uuid": "e19d92d7-cf17-4b2b-8ec2-1efc6df2fa1e",
"value": "Cr1ptT0r"
},
{
@ -13508,7 +13508,7 @@
"https://www.zdnet.com/article/new-phobos-ransomware-exploits-weak-security-to-hit-targets-around-the-world/"
]
},
"uuid": "6cfa554a-1e1b-327a-605f-025d761570b1",
"uuid": "d2c7fb08-293e-453b-a213-adeb79505767",
"value": "Phobos"
},
{
@ -13520,7 +13520,7 @@
"https://www.ehackingnews.com/2019/05/getcrypt-ransomware-modus-operandi-and.html"
]
},
"uuid": "6cfa553a-1e1b-115a-401f-015d681470b1",
"uuid": "7c9df1bd-9212-4ce3-b407-636e41bc4eea",
"value": "GetCrypt"
},
{
@ -13532,7 +13532,7 @@
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections"
]
},
"uuid": "6cfa554a-1e2b-115a-400f-014d671470b1",
"uuid": "5fb75933-1ed5-4512-a062-d39865eedab0",
"value": "Nemty"
},
{
@ -13542,7 +13542,7 @@
"https://www.acronis.com/en-us/blog/posts/meet-buran-new-delphi-ransomware-delivered-rig-exploit-kit"
]
},
"uuid": "6cfa554a-1e1b-114a-300f-013d671370b0",
"uuid": "a92b2165-29e7-463a-b3d5-c8b7d8a25f65",
"value": "Buran"
},
{
@ -13552,7 +13552,7 @@
"https://securitynews.sonicwall.com/xmlpost/hildacrypt-ransomware-actively-spreading-in-the-wild/"
]
},
"uuid": "6cea5549-1d1b-111a-309f-012d671360b1",
"uuid": "25fcb177-7219-4414-b5de-8aeb2e6d146f",
"value": "Hildacrypt"
},
{
@ -13568,7 +13568,7 @@
"Sherminator"
]
},
"uuid": "7cea4438-1d1c-121a-30af-011d661260b2",
"uuid": "2e8aa6da-00b1-4222-b212-c48a7348893c",
"value": "Mr.Dec"
},
{
@ -13582,7 +13582,7 @@
"Freezing"
]
},
"uuid": "4cea4448-1d3c-111a-40af-011d461260b4",
"uuid": "9b074569-b90c-44e6-b9b2-e6e19a48118d",
"value": "Freeme"
},
{
@ -13594,7 +13594,7 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer"
]
},
"uuid": "5cea5548-1e3c-222a-3faf-022d461260b5",
"uuid": "3d8989dc-9a10-4cae-ab24-ff0abed487f4",
"value": "DoppelPaymer"
},
{
@ -13605,7 +13605,7 @@
"https://id-ransomware.blogspot.com/2019/01/unnamed-desync-ransomware.html"
]
},
"uuid": "6cea5546-1e2c-333a-4faf-033d461360b5",
"uuid": "e5288fc1-ff2a-4992-a1fb-6a8ef612de51",
"value": "Desync"
},
{
@ -13627,7 +13627,6 @@
"type": "related-to"
}
],
"uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6",
"value": "Maze"
},
{
@ -13660,7 +13659,7 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ftcode"
]
},
"uuid": "7cea9946-1f4d-441a-4ebf-044d442454b6",
"uuid": "6f9b7c54-45fa-422c-97f0-0f0c015e3c4e",
"value": "FTCode"
},
{
@ -13937,7 +13936,7 @@
"type": "variant-of"
},
{
"dest-uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6",
"dest-uuid": "5d999c23-11cf-4dee-84bb-f447a4f70dc8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
@ -14106,7 +14105,7 @@
"type": "similar"
},
{
"dest-uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6",
"dest-uuid": "5d999c23-11cf-4dee-84bb-f447a4f70dc8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
@ -14141,7 +14140,7 @@
"type": "similar"
},
{
"dest-uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6",
"dest-uuid": "5d999c23-11cf-4dee-84bb-f447a4f70dc8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
@ -14152,5 +14151,5 @@
"value": "Sekhmet"
}
],
"version": 93
"version": 94
}

6
clusters/stealer.json
View File

@ -63,7 +63,7 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar"
]
},
"uuid": "a646edaa-4c6f-3a79-7a6c-143535259e15",
"uuid": "045ab0d5-2f08-4fcd-af47-81c1143fa5fb",
"value": "Vidar"
},
{
@ -74,9 +74,9 @@
"https://blog.yoroi.company/research/the-ave_maria-malware/"
]
},
"uuid": "a546edaa-4c6f-2a79-7a6c-133535249e14",
"uuid": "f3413f6c-5c3a-4df0-bbb5-2dbdf4d68c4c",
"value": "Ave Maria"
}
],
"version": 6
"version": 7
}

66
clusters/threat-actor.json
View File

@ -4308,9 +4308,12 @@
"cfr-type-of-incident": "Espionage",
"country": "IR",
"refs": [
"https://www.intezer.com/prince-of-persia-the-sands-of-foudre/",
"https://www.freebuf.com/articles/network/105726.html",
"https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf",
"https://iranthreats.github.io/",
"http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/",
"http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/",
"https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/",
"https://www.cfr.org/interactive/cyber-operations/prince-persia",
"https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/",
@ -4318,7 +4321,8 @@
],
"synonyms": [
"Operation Mermaid",
"Prince of Persia"
"Prince of Persia",
"Foudre"
]
},
"uuid": "1671be1b-c844-48f5-84c8-54ac4fe4d71e",
@ -4774,7 +4778,8 @@
],
"synonyms": [
"CactusPete",
"Karma Panda"
"Karma Panda",
"BRONZE HUNTLEY"
]
},
"uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26",
@ -7951,7 +7956,10 @@
" https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html"
],
"synonyms": [
"RAZOR TIGER"
"RAZOR TIGER",
"Rattlesnake",
"APT-C-17",
"T-APT-04"
]
},
"related": [
@ -8008,21 +8016,6 @@
"uuid": "947a450a-df6c-4c2e-807b-0da8ecea1d26",
"value": "Attor"
},
{
"description": "DePriMon is an unusually advanced downloader whose developers have put extra effort into setting up the architecture and crafting the critical components.",
"meta": {
"cfr-target-category": [
"Private sector",
"Finance"
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader"
]
},
"uuid": "443faf38-ad93-4421-8a53-47ad84b195fa",
"value": "DePriMon"
},
{
"description": "According to 360 TIC the actor has carried out continuous cyber espionage activities since 2011 on key units and departments of the Chinese government, military industry, scientific research, and finance. The organization focuses on information related to the nuclear industry and scientific research. The targets were mainly concentrated in mainland China...[M]ore than 670 malware samples have been collected from the group, including more than 60 malicious plugins specifically for lateral movement; more than 40 C2 domain names and IPs related to the organization have also been discovered.",
"meta": {
@ -8447,10 +8440,14 @@
"https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/",
"https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/",
"https://pastebin.com/6EDgCKxd",
"https://github.com/fireeye/sunburst_countermeasures"
"https://github.com/fireeye/sunburst_countermeasures",
"https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware",
"https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html"
],
"synonyms": [
"DarkHalo"
"DarkHalo",
"StellarParticle",
"NOBELIUM"
]
},
"uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
@ -8473,7 +8470,34 @@
},
"uuid": "27de6a09-844b-4dcb-9ff9-7292aad826ba",
"value": "TeamTNT"
},
{
"description": "HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once theyve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.",
"meta": {
"refs": [
"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/",
"https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html",
"https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers",
"https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day",
"https://twitter.com/ESETresearch/status/1366862946488451088",
"https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html",
"https://us-cert.cisa.gov/ncas/alerts/aa21-062a",
"https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289",
"https://github.com/microsoft/CSS-Exchange/tree/main/Security",
"https://github.com/cert-lv/exchange_webshell_detection",
"https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits",
"https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021",
"https://pastebin.com/J4L3r2RS",
"https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers",
"https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md",
"https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server",
"https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite"
]
},
"uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5",
"value": "HAFNIUM"
}
],
"version": 198
"version": 199
}

73
clusters/tool.json
View File

@ -8221,7 +8221,78 @@
"related": [],
"uuid": "e1bfe1d9-190c-4cf4-aec8-a8f2c41c7d8b",
"value": "HyperBro"
},
{
"description": "SUNSPOT is StellarParticles malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/"
]
},
"uuid": "d9b2305e-9802-483c-a95d-2ae8525c7704",
"value": "SUNSPOT"
},
{
"description": "",
"meta": {
"refs": [
"https://www.clearskysec.com/cedar/"
],
"type": [
"webshell"
]
},
"related": [],
"uuid": "1974ea65-7312-4d91-a592-649983b46554",
"value": "Caterpillar WebShell"
},
{
"description": "The P.A.S. webshell was developed by an ukrainian student, Jaroslav Volodimirovich Panchenko, who used the nick-name Profexer. It was developed in PHP and features a characteristic password-based encryption. This tool was available through a form on his website, where a user had to provide a password to receive a custom webshell. The form suggested a donation to the developer. It was commonly used, including during a WORDPRESS website attack.",
"meta": {
"refs": [
"https://us-cert.cisa.gov/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"
],
"synonyms": [
"Fobushell"
],
"type": [
"webshell"
]
},
"related": [],
"uuid": "6baa1f46-daa9-4f40-952b-ec613c835abb",
"value": "P.A.S. webshell"
},
{
"description": "Exaramel is a backdoor first publicly reported by ESET in 2018. Two samples were identified, one targeting the WINDOWS operating system and the other targeting LINUX operating systems.",
"meta": {
"refs": [
"https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"
],
"type": [
"backdoor"
]
},
"related": [],
"uuid": "95174297-6dff-47d9-bcb9-263f9b2efcfb",
"value": "Exaramel"
},
{
"description": "RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified in 2017 and targeted companies in the telecommunications sector.",
"meta": {
"refs": [
"https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/"
],
"type": [
"backdoor"
]
},
"related": [],
"uuid": "d357a6ff-00e5-4fcc-8b9e-4a9d98a736e7",
"value": "RDAT"
}
],
"version": 140
"version": 144
}