MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

add raspberry Robin worm & others

pull/795/head
Delta-Sierra 2022-11-15 11:57:10 +01:00
parent 55b721a422
commit d020efd276
6 changed files with 111 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
clusters/banker.json
View File

@ -890,7 +890,11 @@
"refs": [
"https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/",
"https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/",
"http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html"
"http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html",
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
],
"synonyms": [
"BokBot"
]
},
"related": [
@ -1193,5 +1197,5 @@
"value": "Dark Tequila"
}
],
"version": 16
"version": 17
}

3
clusters/malpedia.json
View File

@ -7315,7 +7315,8 @@
"https://killingthebear.jorgetesta.tech/actors/evil-corp",
"https://experience.mandiant.com/trending-evil/p/1",
"https://www.lac.co.jp/lacwatch/report/20220407_002923.html",
"https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm"
"https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm",
"https://redcanary.com/threat-detection-report/threats/socgholish/"
],
"synonyms": [
"FakeUpdate",

3
clusters/ransomware.json
View File

@ -14017,7 +14017,8 @@
".Clop2"
],
"refs": [
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf"
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
]
},
"uuid": "21b349c3-ede2-4e11-abda-1444eb272eff",

7
clusters/rat.json
View File

@ -3216,6 +3216,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ad6d0074-476e-4c05-b0d9-79404f71bbba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "3c1003a2-8364-467a-b9b8-fcc19724a9b5",

23
clusters/threat-actor.json
View File

@ -9884,6 +9884,29 @@
},
"uuid": "6a83b2bf-0c51-4c9b-89b0-35df7cab1dd5",
"value": "APT-Q-12"
},
{
"description": "GOLD PRELUDE is a financially motivated cybercriminal threat group that operates the SocGholish (aka FAKEUPDATES) malware distribution network. GOLD PRELUDE operates a large global network of compromised websites, frequently running vulnerable content management systems (CMS), that redirect into a malicious traffic distribution system (TDS). The TDS, which researchers at Avast have named Parrot TDS, uses opaque criteria to select victims to serve a fake browser update page. These pages, which are customized to the specific visiting browser software, download the JavaScript-based SocGholish payload frequently embedded within a compressed archive.",
"meta": {
"refs": [
"https://www.secureworks.com/research/threat-profiles/gold-prelude"
],
"synonyms": [
"TA569",
"UNC1543"
]
},
"related": [
{
"dest-uuid": "cd32b19e-c365-4efc-9998-548e50e04a4c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
}
],
"uuid": "8134c96d-d6ed-49cc-99d6-fe74c0636387",
"value": "GOLD PRELUDE"
}
],
"version": 250

73
clusters/tool.json
View File

@ -8575,7 +8575,8 @@
"description": "BumbleBee is a modular backdoor that comprises two applications, a server and a client application (a master and slaver application, respectively in the malwares jargon). Once the client application is deployed on the target computer (these are commonly local government devices), threat actors can control the machine using the server module. Let us take a deeper look into this backdoor.",
"meta": {
"refs": [
"https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html"
"https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html",
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
],
"type": [
"backdoor"
@ -8612,7 +8613,75 @@
},
"uuid": "e10ff67f-8b52-4648-9217-da53ff7d52f9",
"value": "SharPyShell"
},
{
"description": "Raspberry Robin has evolved from being a widely distributed worm with no observed post-infection actions when Red Canary first reported it in May 2022, to one of the largest malware distribution platforms currently active. ",
"meta": {
"refs": [
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
],
"type": "Worm"
},
"uuid": "70dc3e92-9b3b-4fc1-abd2-d98985d83225",
"value": "Raspberry Robin"
},
{
"description": "The Fauppod malware delivers a JavaScript backdoor to gain unauthorized access to the target system and deploy additional malware.",
"meta": {
"refs": [
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
]
},
"uuid": "9f0224f6-dd46-4a23-a3fd-d295abae5f93",
"value": "Fauppod"
},
{
"description": "This threat takes multiple screenshots of your desktop. It saves all screenshots in a .dat file that becomes a collection of bitmap images. According to Group-IB, FlawedAmmyy.downloader and Truebot would have been developed by the same individual",
"meta": {
"refs": [
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
],
"synonyms": [
"Silence"
]
},
"related": [
{
"dest-uuid": "ad6d0074-476e-4c05-b0d9-79404f71bbba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ad6d0074-476e-4c05-b0d9-79404f71bbba",
"value": "Truebot"
},
{
"description": "FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.\nFAKEUPDATES has been heavily used by UNC1543,a financially motivated group.\n\nSocGholish, first appearing in late 2017 and rising to prominence in mid-2018, has been used to describe both the web drive-by download network used to infect victims and the JavaScript-based loader malware that targets Windows systems.",
"meta": {
"refs": [
"https://www.malwarebytes.com/blog/news/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms",
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/",
"https://www.secureworks.com/research/threat-profiles/gold-prelude"
],
"synonyms": [
"FakeUpdate",
"SocGholish"
]
},
"related": [
{
"dest-uuid": "8134c96d-d6ed-49cc-99d6-fe74c0636387",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "cd32b19e-c365-4efc-9998-548e50e04a4c",
"value": "FakeUpdates"
}
],
"version": 156
"version": 157
}