Merge pull request #736 from Delta-Sierra/main

add Qbot
2022-07-12 18:41:33 +02:00 · 2022-07-12 18:41:33 +02:00 · cf603e8160
parent a82bf23b3e b1c853bf42
commit cf603e8160
2 changed files with 49 additions and 3 deletions
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@ -1323,11 +1323,48 @@
            "estimative-language:likelihood-probability=\"likely\""
          ],
          "type": "variant-of"
+        },
+        {
+          "dest-uuid": "e878d24d-f122-48c4-930c-f6b6d5f0ee28",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "variant-of"
+        },
+        {
+          "dest-uuid": "421a3805-7741-4315-82c2-6c9aa30d0953",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "variant-of"
        }
      ],
      "uuid": "a5a067c9-c4d7-4f33-8e6f-01b903f89908",
      "value": "EnemyBot"
+    },
+    {
+      "description": "Discovered in 2008 and under constant development, with gaps in operational use in the wild; operators are occasionally known as GOLD LAGOON. Banking Trojan, steals financial data, browser information/hooks, keystrokes, credentials; described by CheckPoint as a “Swiss Army knife”. Known to leverage many other tools; for example, PowerShell and Mimikatz are used for self-propagation. Attempts obfuscation via legitimate process injection. Known to serve as a dropper for ProLock ransomware. Infection vectors are common, with malspam as the most frequent. Active in 2020 – two big campaigns, one from March to June, second Starting in July and ongoing, as part of latest Emotet campaign. Newer version appeared in August.",
+      "meta": {
+        "refs": [
+          "https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf"
+        ],
+        "synonyms": [
+          "QakBot",
+          "Pinkslipbot"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "c4417bfb-717f-48d9-bd56-bc9e85d07c19",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "dropped"
+        }
+      ],
+      "uuid": "421a3805-7741-4315-82c2-6c9aa30d0953",
+      "value": "Qbot"
    }
  ],
-  "version": 26
+  "version": 27
 }
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@ -2250,7 +2250,7 @@
          "https://id-ransomware.blogspot.co.il/2017/01/xcrypt-ransomware.html",
          "https://twitter.com/JakubKroustek/status/825790584971472902"
        ],
-        "synonyns": [
+        "synonyms": [
          "XCrypt"
        ]
      },
@ -22140,6 +22140,15 @@
    },
    {
      "description": "ransomware",
+      "related": [
+        {
+          "dest-uuid": "421a3805-7741-4315-82c2-6c9aa30d0953",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "dropped-by"
+        }
+      ],
      "uuid": "c4417bfb-717f-48d9-bd56-bc9e85d07c19",
      "value": "ProLock"
    },
@ -24568,5 +24577,5 @@
      "value": "Maui ransomware"
    }
  ],
-  "version": 104
+  "version": 105
 }