MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #2 from MISP/main 

Sync Forks
pull/637/head
sebdraven 2021-03-30 11:52:37 +02:00 committed by GitHub
parent c2a4bb1f8a eba33a1c91
commit cb66ed6275
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 16584 additions and 1387 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
clusters/cryptominers.json
View File

@ -7,7 +7,7 @@
"description": "A list of cryptominer and cryptojacker malware.",
"name": "Cryptominers",
"source": "Open Source Intelligence",
"type": "malware",
"type": "cryptominers",
"uuid": "d7dd3f0c-de73-4148-a786-f8ad3661d293",
"values": [
{

17713
clusters/malpedia.json
View File

File diff suppressed because one or more lines are too long

7
clusters/mitre-malware.json
View File

@ -2564,6 +2564,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e69f9836-873a-43d3-92a8-97ab783a4171",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "54895630-efd2-4608-9c24-319de972a9eb",

169
clusters/ransomware.json
View File

@ -5799,6 +5799,7 @@
{
"description": "Ransomware",
"meta": {
"encryption": "AES",
"extensions": [
".crypt",
"4 random characters, e.g., .PzZs, .MKJL"
@ -6094,6 +6095,7 @@
{
"description": "Ransomware no extension change",
"meta": {
"encryption": "RSA",
"payment-method": "Bitcoin",
"price": "0.9 (500$) - 1.9 (1000$) after 4 days",
"ransomnotes-filenames": [
@ -6486,8 +6488,9 @@
"value": "CryptoTrooper"
},
{
"description": "Ransomware",
"description": "Ransomware, Infection by Phishing",
"meta": {
"encryption": "RSA",
"payment-method": "Bitcoin",
"price": "1.09 (500$)",
"ransomnotes-filenames": [
@ -8935,8 +8938,9 @@
"value": "Offline ransomware"
},
{
"description": "Ransomware",
"description": "Ransomware. Infection: drive-by-download; Platform: Windows; Extorsion by Prepaid Voucher",
"meta": {
"Encryption": "RSA",
"extensions": [
".LOL!",
".OMG!"
@ -8946,6 +8950,9 @@
"ransomnotes-filenames": [
"how to get data.txt"
],
"refs": [
"https://arxiv.org/pdf/2102.06249.pdf"
],
"synonyms": [
"GPCode"
]
@ -9530,6 +9537,7 @@
{
"description": "Ransomware no extension change, Javascript Ransomware",
"meta": {
"encryption": "AES",
"payment-method": "Bitcoin",
"price": "1",
"refs": [
@ -11209,6 +11217,7 @@
{
"description": "On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape. There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.",
"meta": {
"encryption": "AES+RSA",
"payment-method": "Bitcoin",
"price": "0.05 (300 $)",
"ransomnotes": [
@ -13411,7 +13420,7 @@
"https://www.fortinet.com/blog/threat-research/analysis-of-new-globeimposter-ransomware-variant.html"
]
},
"uuid": "8cfa694c-2e6b-310a-728f-027d981870b2",
"uuid": "a4631cef-dc51-4bee-a51f-3f1ea75ff201",
"value": "GlobeImposter"
},
{
@ -13423,7 +13432,7 @@
"https://spyware-techie.com/blackworm-ransomware-removal-guide"
]
},
"uuid": "8cfa694a-2e5b-300a-727f-027d881870b2",
"uuid": "457e9a45-607e-41ef-8ad1-bf8684722445",
"value": "BlackWorm"
},
{
@ -13435,7 +13444,7 @@
"https://malware.wikia.org/wiki/Tellyouthepass"
]
},
"uuid": "7cfa694a-1e5b-300a-627f-027d881870b1",
"uuid": "c6ca9b44-d0cd-40c9-9d00-39e0f7bcae79",
"value": "Tellyouthepass"
},
{
@ -13446,7 +13455,7 @@
"https://www.2-spyware.com/remove-bigbobross-ransomware.html"
]
},
"uuid": "8cfa684a-1e4b-309a-617f-026d881870b1",
"uuid": "5d3fc33b-8e90-4d9d-8f45-f047264ce8cb",
"value": "BigBobRoss"
},
{
@ -13457,7 +13466,7 @@
"https://www.pcrisk.com/removal-guides/12121-planetary-ransomware"
]
},
"uuid": "6cfa664a-1e2b-329a-607f-026d781870b1",
"uuid": "7c742031-6b3d-4c3a-8b36-9154a6dc7b30",
"value": "Planetary"
},
{
@ -13474,7 +13483,7 @@
"Cripttor"
]
},
"uuid": "8cfa554a-1e1b-328a-606f-026d771870b1",
"uuid": "e19d92d7-cf17-4b2b-8ec2-1efc6df2fa1e",
"value": "Cr1ptT0r"
},
{
@ -13499,7 +13508,7 @@
"https://www.zdnet.com/article/new-phobos-ransomware-exploits-weak-security-to-hit-targets-around-the-world/"
]
},
"uuid": "6cfa554a-1e1b-327a-605f-025d761570b1",
"uuid": "d2c7fb08-293e-453b-a213-adeb79505767",
"value": "Phobos"
},
{
@ -13511,7 +13520,7 @@
"https://www.ehackingnews.com/2019/05/getcrypt-ransomware-modus-operandi-and.html"
]
},
"uuid": "6cfa553a-1e1b-115a-401f-015d681470b1",
"uuid": "7c9df1bd-9212-4ce3-b407-636e41bc4eea",
"value": "GetCrypt"
},
{
@ -13523,7 +13532,7 @@
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections"
]
},
"uuid": "6cfa554a-1e2b-115a-400f-014d671470b1",
"uuid": "5fb75933-1ed5-4512-a062-d39865eedab0",
"value": "Nemty"
},
{
@ -13533,7 +13542,7 @@
"https://www.acronis.com/en-us/blog/posts/meet-buran-new-delphi-ransomware-delivered-rig-exploit-kit"
]
},
"uuid": "6cfa554a-1e1b-114a-300f-013d671370b0",
"uuid": "a92b2165-29e7-463a-b3d5-c8b7d8a25f65",
"value": "Buran"
},
{
@ -13543,7 +13552,7 @@
"https://securitynews.sonicwall.com/xmlpost/hildacrypt-ransomware-actively-spreading-in-the-wild/"
]
},
"uuid": "6cea5549-1d1b-111a-309f-012d671360b1",
"uuid": "25fcb177-7219-4414-b5de-8aeb2e6d146f",
"value": "Hildacrypt"
},
{
@ -13559,7 +13568,7 @@
"Sherminator"
]
},
"uuid": "7cea4438-1d1c-121a-30af-011d661260b2",
"uuid": "2e8aa6da-00b1-4222-b212-c48a7348893c",
"value": "Mr.Dec"
},
{
@ -13573,7 +13582,7 @@
"Freezing"
]
},
"uuid": "4cea4448-1d3c-111a-40af-011d461260b4",
"uuid": "9b074569-b90c-44e6-b9b2-e6e19a48118d",
"value": "Freeme"
},
{
@ -13585,7 +13594,7 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer"
]
},
"uuid": "5cea5548-1e3c-222a-3faf-022d461260b5",
"uuid": "3d8989dc-9a10-4cae-ab24-ff0abed487f4",
"value": "DoppelPaymer"
},
{
@ -13596,7 +13605,7 @@
"https://id-ransomware.blogspot.com/2019/01/unnamed-desync-ransomware.html"
]
},
"uuid": "6cea5546-1e2c-333a-4faf-033d461360b5",
"uuid": "e5288fc1-ff2a-4992-a1fb-6a8ef612de51",
"value": "Desync"
},
{
@ -13609,7 +13618,16 @@
"https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us"
]
},
"uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6",
"related": [
{
"dest-uuid": "e69f9836-873a-43d3-92a8-97ab783a4171",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "related-to"
}
],
"uuid": "c60776a6-91dd-499b-8b4c-7940479e71fc",
"value": "Maze"
},
{
@ -13642,7 +13660,7 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ftcode"
]
},
"uuid": "7cea9946-1f4d-441a-4ebf-044d442454b6",
"uuid": "6f9b7c54-45fa-422c-97f0-0f0c015e3c4e",
"value": "FTCode"
},
{
@ -13900,14 +13918,32 @@
"RECOVER-FILES.txt"
],
"ransomnotes-refs": [
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2020/september/25/egregor.jpg"
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2020/september/25/egregor.jpg",
"https://2kjpox12cnap3zv36440iue7-wpengine.netdna-ssl.com/wp-content/uploads/2020/10/egregor-ransom-demanding-message.png"
],
"refs": [
"https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor",
"https://www.bleepingcomputer.com/news/security/crytek-hit-by-egregor-ransomware-ubisoft-data-leaked/",
"https://cybersecuritynews.com/egregor-ransomware/"
"https://cybersecuritynews.com/egregor-ransomware/",
"https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/"
]
},
"related": [
{
"dest-uuid": "6fb1ea9e-5389-4932-8b22-c691b74b75a8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "5d999c23-11cf-4dee-84bb-f447a4f70dc8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "successor-of"
}
],
"uuid": "8bd094a7-103f-465f-8640-18dcc53042e5",
"value": "Egregor"
},
@ -14025,7 +14061,96 @@
},
"uuid": "dff71334-c173-45b6-8647-af66be0605d7",
"value": "RansomEXX"
},
{
"description": "Mobile ransomware. The Zscaler ThreatLabZ team recently came across a URL named hxxp://coronavirusapp[.]site/mobile.html, which portrays itself as a download site for an Android app that tracks the coronavirus spread across the globe. In reality, the app is Android ransomware, which locks out the victim and asks for ransom to unlock the device.\nThe app portrays itself as a Coronavirus Tracker. As soon as it starts running, it asks the user for several authorizations, including admin rights.\n In fact, this ransomware does not encrypt nor steal anything and only lock the device with an hard coded code.",
"meta": {
"ransomnotes-refs": [
"https://www.zscaler.com/sites/default/files/images/blogs/covid/covid_lock_screen_edited_4.png",
"https://www.zscaler.com/sites/default/files/images/blogs/covid/covid_pastebin_5.png"
],
"refs": [
"https://www.zscaler.com/blogs/security-research/covidlock-android-ransomware-walkthrough-and-unlocking-routine"
]
},
"uuid": "b5fe83e9-c5d7-4b0e-99ab-4f1d356d1749",
"value": "CovidLock"
},
{
"description": "This malware is written in Java and is named after references in the code. Tycoon has been in the wild since December 2019 and has targeted organizations in the education, SMBs, and software industries.\nTycoon is a multi-platform Java ransomware that targets Windows and Linux systems. This ransomware denies access to the system administrator following an attack on the domain controller and file servers. The initial intrusion occurs through an internet-facing remote desktop protocol (RDP) jump-server.",
"meta": {
"date": "december 2019",
"refs": [
"https://cyberflorida.org/threat-advisory/tycoon-ransomware/",
"https://usf.app.box.com/s/83xh0t5w99klrsoisorir7kgs14o972s"
]
},
"uuid": "39781a7a-cd3a-4e24-aeb8-94a767a2551b",
"value": "Tycoon"
},
{
"description": "Ragnar Locker is a ransomware identified in December 2019 that targetscorporate networks inBig Game Huntingtargeted attacks. This reportpresents recent elements regarding this ransomware.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/",
"https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
"https://www.cybersecurity-insiders.com/ransomware-attack-makes-cwt-pay-4-5-million-in-bitcoins-to-hackers/"
]
},
"related": [
{
"dest-uuid": "54895630-efd2-4608-9c24-319de972a9eb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "5d999c23-11cf-4dee-84bb-f447a4f70dc8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "related-to"
}
],
"uuid": "e69f9836-873a-43d3-92a8-97ab783a4171",
"value": "Ragnar Locker"
},
{
"description": "Ransom.Sekhmet not only encrypts a victims files, but also threatens to publish them.",
"meta": {
"ransomnotes-filenames": [
"RECOVER-FILES.txt"
],
"ransomnotes-refs": [
"https://blog.malwarebytes.com/wp-content/uploads/2020/11/Sekhmet_ransom_note.png"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/",
"https://www.zdnet.com/article/as-maze-ransomware-group-retires-clients-turn-to-sekhmet-ransomware-spin-off-egregor/",
"https://blog.malwarebytes.com/detections/ransom-sekhmet/",
"https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/"
]
},
"related": [
{
"dest-uuid": "8bd094a7-103f-465f-8640-18dcc53042e5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "5d999c23-11cf-4dee-84bb-f447a4f70dc8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "successor-of"
}
],
"uuid": "6fb1ea9e-5389-4932-8b22-c691b74b75a8",
"value": "Sekhmet"
}
],
"version": 91
"version": 94
}

6
clusters/stealer.json
View File

@ -63,7 +63,7 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar"
]
},
"uuid": "a646edaa-4c6f-3a79-7a6c-143535259e15",
"uuid": "045ab0d5-2f08-4fcd-af47-81c1143fa5fb",
"value": "Vidar"
},
{
@ -74,9 +74,9 @@
"https://blog.yoroi.company/research/the-ave_maria-malware/"
]
},
"uuid": "a546edaa-4c6f-2a79-7a6c-133535249e14",
"uuid": "f3413f6c-5c3a-4df0-bbb5-2dbdf4d68c4c",
"value": "Ave Maria"
}
],
"version": 6
"version": 7
}

70
clusters/threat-actor.json
View File

@ -4778,7 +4778,8 @@
],
"synonyms": [
"CactusPete",
"Karma Panda"
"Karma Panda",
"BRONZE HUNTLEY"
]
},
"uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26",
@ -7950,6 +7951,9 @@
"refs": [
"https://securelist.com/apt-trends-report-q1-2018/85280/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/",
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder",
"https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742/",
"https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html",
"https://s.tencent.com/research/report/659.html",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-sidewinder-targeted-attack.pdf",
"https://s.tencent.com/research/report/479.html",
@ -7962,6 +7966,15 @@
"T-APT-04"
]
},
"related": [
{
"dest-uuid": "3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "c4ce1174-9462-47e9-8038-794f40a184b3",
"value": "SideWinder"
},
@ -8431,15 +8444,64 @@
"https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/",
"https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/",
"https://pastebin.com/6EDgCKxd",
"https://github.com/fireeye/sunburst_countermeasures"
"https://github.com/fireeye/sunburst_countermeasures",
"https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware",
"https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html"
],
"synonyms": [
"DarkHalo"
"DarkHalo",
"StellarParticle",
"NOBELIUM"
]
},
"uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
"value": "UNC2452"
},
{
"description": "In early Febuary, 2021 TeamTNT launched a new campaign against Docker and Kubernetes environments. Using a collection of container images that are hosted in Docker Hub, the attackers are targeting misconfigured docker daemons, Kubeflow dashboards, and Weave Scope, exploiting these environments in order to steal cloud credentials, open backdoors, mine cryptocurrency, and launch a worm that is looking for the next victim.\nThey're linked to the First Crypto-Mining Worm to Steal AWS Credentials and Hildegard Cryptojacking malware.\nTeamTNT is a relatively recent addition to a growing number of threats targeting the cloud. While they employ some of the same tactics as similar groups, TeamTNT stands out with their social media presence and penchant for self-promotion. Tweets from the TeamTNTs account are in both English and German although it is unknown if they are located in Germany.",
"meta": {
"refs": [
"https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/",
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt",
"https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment",
"https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool",
"https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials",
"https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
"https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html",
"https://cyware.com/news/hildegard-teamtnts-new-feature-rich-malware-targeting-kubernetes-6587eb45",
"https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/"
]
},
"uuid": "27de6a09-844b-4dcb-9ff9-7292aad826ba",
"value": "TeamTNT"
},
{
"description": "HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once theyve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.",
"meta": {
"refs": [
"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/",
"https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html",
"https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers",
"https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day",
"https://twitter.com/ESETresearch/status/1366862946488451088",
"https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html",
"https://us-cert.cisa.gov/ncas/alerts/aa21-062a",
"https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289",
"https://github.com/microsoft/CSS-Exchange/tree/main/Security",
"https://github.com/cert-lv/exchange_webshell_detection",
"https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits",
"https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021",
"https://pastebin.com/J4L3r2RS",
"https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers",
"https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md",
"https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server",
"https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite"
]
},
"uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5",
"value": "HAFNIUM"
}
],
"version": 198
"version": 199
}

4
galaxies/cryptominers.json
View File

@ -3,7 +3,7 @@
"icon": "optin-monster",
"name": "Cryptominers",
"namespace": "misp",
"type": "Cryptominers",
"type": "cryptominers",
"uuid": "917734cb-6bbf-4568-83b6-ad2b912fc5e4",
"version": 3
"version": 4
}