TA505 threat actorand affiliates malwares

2019-01-11 09:53:08 +01:00 · 2019-01-11 09:53:08 +01:00 · cddfd5fcd1
parent 4547b09f49
commit cddfd5fcd1
3 changed files with 34 additions and 3 deletions
--- a/clusters/backdoor.json
+++ b/clusters/backdoor.json
@ -41,7 +41,17 @@
      },
      "uuid": "2bb165dc-9f93-11e8-ae64-d3dbab0dd786",
      "value": "Rosenbridge"
+    },
+    {
+      "description": "The purpose of the macro was to download and execute a variant of ServHelper that set up reverse SSH tunnels that enabled access to the infected host through the Remote Desktop Protocol (RDP) port 3389.\n\n\"Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit,\" researchers from Proofpoint explain in an analysis released today.\n\nThe other ServHelper variant does not include the tunneling and hijacking capabilities and functions only as a downloader for the FlawedGrace RAT.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/new-servhelper-backdoor-and-flawedgrace-rat-pushed-by-necurs-botnet/"
+        ]
+      },
+      "uuid": "8b50360c-4d16-4f52-be75-e74c27f533df",
+      "value": "ServHelper"
    }
  ],
-  "version": 3
+  "version": 4
 }
--- a/clusters/rat.json
+++ b/clusters/rat.json
@ -3298,7 +3298,17 @@
      },
      "uuid": "ef9f1592-0186-4f5d-a8ea-6c10450d2219",
      "value": "BONDUPDATER"
+    },
+    {
+      "description": "Proofpoint also point out that FlawedGrace is a full-featured RAT written in C++ and that it is a very large program that \"extensive use of object-oriented and multithreaded programming techniques. \"As a consequence, getting familiar with its internal structure takes a lot of time and is far from a simple task.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/new-servhelper-backdoor-and-flawedgrace-rat-pushed-by-necurs-botnet/"
+        ]
+      },
+      "uuid": "428c8288-6f65-453f-bfa2-4b519d08f8e9",
+      "value": "FlawedGrace"
    }
  ],
-  "version": 23
+  "version": 24
 }
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -6126,7 +6126,18 @@
      },
      "uuid": "b06c3af1-0243-4428-88da-b3451c345e1e",
      "value": "Operation Sharpshooter"
+    },
+    {
+      "description": "TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/",
+          "https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png"
+        ]
+      },
+      "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f",
+      "value": "TA505"
    }
  ],
-  "version": 84
+  "version": 85
 }