Merge pull request #681 from Delta-Sierra/main

add DDG botnet and more
pull/682/head
Alexandre Dulaunoy 2022-02-14 10:27:48 +01:00 committed by GitHub
commit d4f51cd066
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 84 additions and 4 deletions

View File

@ -1197,6 +1197,44 @@
},
"uuid": "099223a1-4a6e-4024-8e48-dbe199ec7244",
"value": "UPAS-Kit"
},
{
"description": "Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex"
],
"synonyms": [
"Trik"
]
},
"uuid": "26339b2e-7d82-4844-a9f0-81b0dd85e37c",
"value": "Phorpiex"
},
{
"description": "First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).",
"meta": {
"refs": [
"https://twitter.com/JiaYu_521/status/1204248344043778048",
"https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/",
"https://blog.netlab.360.com/ddg-botnet-round-x-is-there-an-ending/",
"https://blog.netlab.360.com/threat-alert-ddg-3013-is-out/",
"https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/",
"https://blog.netlab.360.com/ddg-mining-botnet-jin-qi-huo-dong-fen-xi/",
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddg"
]
},
"related": [
{
"dest-uuid": "5c42585b-ea92-4fe2-8a79-bb47a3df67ad",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "25a745c8-0d2a-40e1-9bb2-3704d1bd49e3",
"value": "DDG"
}
],
"version": 23

View File

@ -3032,6 +3032,15 @@
"synonyms": [],
"type": []
},
"related": [
{
"dest-uuid": "25a745c8-0d2a-40e1-9bb2-3704d1bd49e3",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "5c42585b-ea92-4fe2-8a79-bb47a3df67ad",
"value": "DDG"
},

View File

@ -3487,6 +3487,19 @@
"uuid": "833ed94d-97c1-4b57-9634-c27bf42eb867",
"value": "Guildma"
},
{
"description": "Milan is a 32-bit RAT written in Visual C++ and .NET. Milan is loaded and persists using tasks. An encoded routine waits for three to four seconds between executing the first task, deleting this task, and setting a second scheduled task for persistence.",
"meta": {
"refs": [
"https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/"
],
"synonyms": [
"James"
]
},
"uuid": "a5e5a48a-5ce7-45f0-97d7-517d7f37b4ce",
"value": "Milan"
},
{
"description": "In late November, Prevailions Adversarial Counterintelligence Team (PACT) identified what appeared to be a malicious javascript-based Remote Access Trojan (RAT) that uses a robust Domain Generation Algorithm (DGA) to identify its Command and Control (C2) infrastructure and that utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation. This RAT, which PACT refers to by its internal codename “DarkWatchman”, has been observed being distributed by email and represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools. PACT has reverse engineered the DGA, dynamically analyzed the malware, investigated the Threat Actors (TA) web-based infrastructure, and consolidated the results of our analysis into the following report.",
"meta": {

View File

@ -6159,12 +6159,16 @@
"refs": [
"https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/",
"https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia",
"https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/"
"https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/",
"https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/",
"https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-investigates-donot-team-cyberespionage-targeting-military-governments-in-south-asia/",
"https://github.com/eset/malware-ioc/tree/master/donot"
],
"synonyms": [
"DoNot Team",
"Donot Team",
"APT-C-35"
"APT-C-35",
"SectorE02"
]
},
"uuid": "b9dc4e81-909f-4324-8b25-a0f359cd88e0",
@ -7606,10 +7610,16 @@
"meta": {
"refs": [
"https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign",
"https://www.secureworks.com/research/threat-profiles/cobalt-lyceum"
"https://www.secureworks.com/research/threat-profiles/cobalt-lyceum",
"https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/",
"https://www.clearskysec.com/siamesekitten/",
"https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf"
],
"synonyms": [
"COBALT LYCEUM"
"COBALT LYCEUM",
"HEXANE",
"Spirlin",
"siamesekitten"
]
},
"uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a",

View File

@ -8451,6 +8451,16 @@
"uuid": "d5b31712-a5b4-4b1c-9a74-4340abc61210",
"value": "ESPecter bootkit"
},
{
"description": "Shark is a 32-bit executable written in C# and .NET. To run Shark, a parameter is passed on the command line that includes the executables filename. Shark generates a mutex that uses the executables filename as the mutex value. The mutex likely ensures Shark does not execute on a machine where it is already running and that the correct version of Shark is executed.",
"meta": {
"refs": [
"https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/"
]
},
"uuid": "9ea6d29e-00a7-4042-9bc5-31b1adeee6ec",
"value": "Shark"
},
{
"description": "Motnug is a simple shellcode loader that is used to load and execute shellcode located either in its overlay or in a separate file stored on disk.",
"meta": {