Merge pull request #681 from Delta-Sierra/main

add DDG botnet and more
2022-02-14 10:27:48 +01:00 · 2022-02-14 10:27:48 +01:00 · d4f51cd066
parent 3bce478fe4 33ef3317b7
commit d4f51cd066
5 changed files with 84 additions and 4 deletions
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@ -1197,6 +1197,44 @@
      },
      "uuid": "099223a1-4a6e-4024-8e48-dbe199ec7244",
      "value": "UPAS-Kit"
+    },
+    {
+      "description": "Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.",
+      "meta": {
+        "refs": [
+          "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex"
+        ],
+        "synonyms": [
+          "Trik"
+        ]
+      },
+      "uuid": "26339b2e-7d82-4844-a9f0-81b0dd85e37c",
+      "value": "Phorpiex"
+    },
+    {
+      "description": "First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).",
+      "meta": {
+        "refs": [
+          "https://twitter.com/JiaYu_521/status/1204248344043778048",
+          "https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/",
+          "https://blog.netlab.360.com/ddg-botnet-round-x-is-there-an-ending/",
+          "https://blog.netlab.360.com/threat-alert-ddg-3013-is-out/",
+          "https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/",
+          "https://blog.netlab.360.com/ddg-mining-botnet-jin-qi-huo-dong-fen-xi/",
+          "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddg"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "5c42585b-ea92-4fe2-8a79-bb47a3df67ad",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
+      "uuid": "25a745c8-0d2a-40e1-9bb2-3704d1bd49e3",
+      "value": "DDG"
    }
  ],
  "version": 23
--- a/clusters/malpedia.json
+++ b/clusters/malpedia.json
@ -3032,6 +3032,15 @@
        "synonyms": [],
        "type": []
      },
+      "related": [
+        {
+          "dest-uuid": "25a745c8-0d2a-40e1-9bb2-3704d1bd49e3",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
      "uuid": "5c42585b-ea92-4fe2-8a79-bb47a3df67ad",
      "value": "DDG"
    },
--- a/clusters/rat.json
+++ b/clusters/rat.json
@ -3487,6 +3487,19 @@
      "uuid": "833ed94d-97c1-4b57-9634-c27bf42eb867",
      "value": "Guildma"
    },
+    {
+      "description": "Milan is a 32-bit RAT written in Visual C++ and .NET. Milan is loaded and persists using tasks. An encoded routine waits for three to four seconds between executing the first task, deleting this task, and setting a second scheduled task for persistence.",
+      "meta": {
+        "refs": [
+          "https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/"
+        ],
+        "synonyms": [
+          "James"
+        ]
+      },
+      "uuid": "a5e5a48a-5ce7-45f0-97d7-517d7f37b4ce",
+      "value": "Milan"
+    },
    {
      "description": "In late November, Prevailion’s Adversarial Counterintelligence Team (PACT) identified what appeared to be a malicious javascript-based Remote Access Trojan (RAT) that uses a robust Domain Generation Algorithm (DGA) to identify its Command and Control (C2) infrastructure and that utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation.  This RAT, which PACT refers to by its internal codename “DarkWatchman”, has been observed being distributed by email and represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools.  PACT has reverse engineered the DGA, dynamically analyzed the malware, investigated the Threat Actor’s (TA) web-based infrastructure, and consolidated the results of our analysis into the following report.",
      "meta": {
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -6159,12 +6159,16 @@
        "refs": [
          "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/",
          "https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia",
-          "https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/"
+          "https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/",
+          "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/",
+          "https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-investigates-donot-team-cyberespionage-targeting-military-governments-in-south-asia/",
+          "https://github.com/eset/malware-ioc/tree/master/donot"
        ],
        "synonyms": [
          "DoNot Team",
          "Donot Team",
-          "APT-C-35"
+          "APT-C-35",
+          "SectorE02"
        ]
      },
      "uuid": "b9dc4e81-909f-4324-8b25-a0f359cd88e0",
@ -7606,10 +7610,16 @@
      "meta": {
        "refs": [
          "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign",
-          "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum"
+          "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum",
+          "https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/",
+          "https://www.clearskysec.com/siamesekitten/",
+          "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf"
        ],
        "synonyms": [
-          "COBALT LYCEUM"
+          "COBALT LYCEUM",
+          "HEXANE",
+          "Spirlin",
+          "siamesekitten"
        ]
      },
      "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a",
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -8451,6 +8451,16 @@
      "uuid": "d5b31712-a5b4-4b1c-9a74-4340abc61210",
      "value": "ESPecter bootkit"
    },
+    {
+      "description": "Shark is a 32-bit executable written in C# and .NET. To run Shark, a parameter is passed on the command line that includes the executable’s filename. Shark generates a mutex that uses the executable’s filename as the mutex value. The mutex likely ensures Shark does not execute on a machine where it is already running and that the correct version of Shark is executed.",
+      "meta": {
+        "refs": [
+          "https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/"
+        ]
+      },
+      "uuid": "9ea6d29e-00a7-4042-9bc5-31b1adeee6ec",
+      "value": "Shark"
+    },
    {
      "description": "Motnug is a simple shellcode loader that is used to load and execute shellcode located either in its overlay or in a separate file stored on disk.",
      "meta": {