MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

add uuid to every cluster

pull/162/head
Deborah Servili 2018-02-28 15:37:37 +01:00
parent 2eea951b71
commit d88a4a44dc
15 changed files with 25083 additions and 23061 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1252
clusters/android.json
View File

File diff suppressed because it is too large Load Diff

128
clusters/banker.json
View File

@ -11,7 +11,8 @@
"date": "Initally discovered between 2006 and 2007. New bankers with Zeus roots still active today."
},
"description": "Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.",
"value": "Zeus"
"value": "Zeus",
"uuid": "f0ec2df5-2e38-4df3-970d-525352006f2e"
},
{
"meta": {
@ -27,7 +28,8 @@
"date": "Discovered early 2013"
},
"description": "Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.",
"value": "Vawtrak"
"value": "Vawtrak",
"uuid": "f3813bbd-682c-400d-8165-778be6d3f91f"
},
{
"meta": {
@ -41,7 +43,8 @@
"date": "Discovery in 2014, still active"
},
"description": " Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.",
"value": "Dridex"
"value": "Dridex",
"uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e"
},
{
"meta": {
@ -59,7 +62,8 @@
"date": "First seen ~ 2007"
},
"description": "Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010",
"value": "Gozi"
"value": "Gozi",
"uuid": "b9448d2a-a23c-4bf2-92a1-d860716ba2f3"
},
{
"meta": {
@ -74,7 +78,8 @@
"date": "Fall Oct. 2012 - Spring 2013"
},
"description": "Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.",
"value": "Goziv2"
"value": "Goziv2",
"uuid": "71ad2c86-b9da-4351-acf9-7005f64062c7"
},
{
"meta": {
@ -86,8 +91,9 @@
],
"date": "Beginning 2010"
},
"description": "Banking trojan based on Gozi source. Features include web injects for the victims browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.",
"value": "Gozi ISFB"
"description": "Banking trojan based on Gozi source. Features include web injects for the victims\u2019 browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.",
"value": "Gozi ISFB",
"uuid": "ffbbbc14-1cdb-4be9-a631-ed53c5407369"
},
{
"meta": {
@ -99,7 +105,8 @@
"date": "Since 2014"
},
"description": "Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.",
"value": "Dreambot"
"value": "Dreambot",
"uuid": "549d1f8c-f76d-4d66-a1a2-2cd048d739ea"
},
{
"meta": {
@ -110,7 +117,8 @@
"date": "Seen Autumn 2014"
},
"description": "Gozi ISFB variant ",
"value": "IAP"
"value": "IAP",
"uuid": "0f96a666-bf26-44e0-8ad6-f2136208c924"
},
{
"meta": {
@ -120,8 +128,9 @@
],
"date": "Spring 2016"
},
"description": "GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the droppers stealth and persistence; the Gozi ISFB parts add the banking Trojans capabilities to facilitate fraud via infected Internet browsers.",
"value": "GozNym"
"description": "GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the dropper\u2019s stealth and persistence; the Gozi ISFB parts add the banking Trojan\u2019s capabilities to facilitate fraud via infected Internet browsers.",
"value": "GozNym",
"uuid": "bcefac9a-a928-490f-9cb6-a8863f40c949"
},
{
"meta": {
@ -135,7 +144,8 @@
"date": "First seen in Fall 2016 and still active today."
},
"description": "Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails. ",
"value": "Zloader Zeus"
"value": "Zloader Zeus",
"uuid": "2eb658ed-aff4-4253-a21f-9059b133ce17"
},
{
"meta": {
@ -149,7 +159,8 @@
"date": "First seen ~Feb 2014"
},
"description": "Zeus variant that utilizes steganography in image files to retrieve configuration file. ",
"value": "Zeus VM"
"value": "Zeus VM",
"uuid": "09d1cad8-6b06-48d7-a968-5b17bbe9ca65"
},
{
"meta": {
@ -159,7 +170,8 @@
"date": "First seen ~Aug 2015"
},
"description": "Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.",
"value": "Zeus Sphinx"
"value": "Zeus Sphinx",
"uuid": "8914802c-3aca-4a0d-874a-85ac7a1bc505"
},
{
"meta": {
@ -174,7 +186,8 @@
"date": "First seen ~ Spring 2016"
},
"description": "Zeus like banking trojan that is delivered primarily through malspam emails and exploit kits.",
"value": "Panda Banker"
"value": "Panda Banker",
"uuid": "f1971442-6477-4aa2-aafa-7529b8252455"
},
{
"meta": {
@ -189,7 +202,8 @@
"date": "First seen 2014"
},
"description": "Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it's config in the registry. ",
"value": "Zeus KINS"
"value": "Zeus KINS",
"uuid": "bc0be3a4-89d8-4c4c-b2aa-2dddbed1f71d"
},
{
"meta": {
@ -200,7 +214,8 @@
"date": "First seen fall of 2014"
},
"description": "Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.",
"value": "Chthonic"
"value": "Chthonic",
"uuid": "6deb9f26-969b-45aa-9222-c23663fd6ef8"
},
{
"meta": {
@ -217,7 +232,8 @@
"date": "Discovered Fall 2016"
},
"description": "Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan",
"value": "Trickbot"
"value": "Trickbot",
"uuid": "07e3260b-d80c-4c86-bd28-8adc111bbec6"
},
{
"meta": {
@ -231,7 +247,8 @@
"date": "Discovered ~June 2014"
},
"description": "Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim's computer.",
"value": "Dyre"
"value": "Dyre",
"uuid": "15e969e6-f031-4441-a49b-f401332e4b00"
},
{
"meta": {
@ -249,7 +266,8 @@
"date": "Discovered ~Spring 2012"
},
"description": "Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.",
"value": "Tinba"
"value": "Tinba",
"uuid": "5594b171-32ec-4145-b712-e7701effffdd"
},
{
"meta": {
@ -264,7 +282,8 @@
"date": "Discovered ~Summer 2014"
},
"description": "Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.",
"value": "Geodo"
"value": "Geodo",
"uuid": "8e002f78-7fb8-4e70-afd7-0b4ac655be26"
},
{
"meta": {
@ -280,7 +299,8 @@
"date": "Discovered ~September 2011"
},
"description": "Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. Version A = Port 8080, Version B = Port 80 It is delivered primarily via exploit kits and malspam emails.",
"value": "Feodo"
"value": "Feodo",
"uuid": "7ca93488-c357-44c3-b246-3f88391aca5a"
},
{
"meta": {
@ -293,7 +313,8 @@
"date": "Discovered ~2010."
},
"description": "Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.",
"value": "Ramnit"
"value": "Ramnit",
"uuid": "7e2288ec-e7d4-4833-9245-a2bc5ae40ee2"
},
{
"meta": {
@ -309,7 +330,8 @@
"date": "Discovered ~2007"
},
"description": "Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.",
"value": "Qakbot"
"value": "Qakbot",
"uuid": "b2ec1f16-2a76-4910-adc5-ecb3570e7c1a"
},
{
"meta": {
@ -321,7 +343,8 @@
"date": "Discovered ~Fall 2015"
},
"description": "Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.",
"value": "Corebot"
"value": "Corebot",
"uuid": "8a3d46db-d3b4-4f89-99e2-d1f0de3f484c"
},
{
"meta": {
@ -341,7 +364,8 @@
"date": "Discovered ~December 2016"
},
"description": "TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It's main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.",
"value": "TinyNuke"
"value": "TinyNuke",
"uuid": "e683cd91-40b4-4e1c-be25-34a27610a22e"
},
{
"meta": {
@ -359,7 +383,8 @@
"date": "Discovered in 2014"
},
"description": "Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails. ",
"value": "Retefe"
"value": "Retefe",
"uuid": "87b69cb4-8b65-47ee-91b0-9b1decdd5c5c"
},
{
"meta": {
@ -372,7 +397,8 @@
"date": "Discovered ~early 2015"
},
"description": "ReactorBot is sometimes mistakenly tagged as Rovnix. ReactorBot is a full fledged modular bot that includes a banking module that has roots with the Carberp banking trojan. Distributed primarily via malspam emails.",
"value": "ReactorBot"
"value": "ReactorBot",
"uuid": "d939e802-acb2-4881-bdaf-ece1eccf5699"
},
{
"meta": {
@ -382,7 +408,8 @@
"date": "Discovered ~Spring 2017"
},
"description": "Matrix Banker is named accordingly because of the Matrix reference in it's C2 panel. Distributed primarily via malspam emails.",
"value": "Matrix Banker"
"value": "Matrix Banker",
"uuid": "aa3fc68c-413c-4bfb-b4cd-bca7094da985"
},
{
"meta": {
@ -393,7 +420,8 @@
"date": "Discovered ~Sept. 2011"
},
"description": "Zeus Gameover captures banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin. Distributed primarily via malspam emails and exploit kits.",
"value": "Zeus Gameover"
"value": "Zeus Gameover",
"uuid": "8653a94e-3eb3-4d88-8683-a1ae4a524774"
},
{
"meta": {
@ -405,7 +433,8 @@
"date": "Discovered early 2011"
},
"description": "SpyEye is a similar to the Zeus botnet banking trojan. It utilizes a web control panel for C2 and can perform form grabbing, autofill credit card modules, ftp grabber, pop3 grabber and HTTP basic access authorization grabber. It also contained a Kill Zeus feature which would remove any Zeus infections if SpyEye was on the system. Distributed primarily via exploit kits and malspam emails.",
"value": "SpyEye"
"value": "SpyEye",
"uuid": "ebce18e9-b387-4b7d-bab9-4acd4fca7a7c"
},
{
"meta": {
@ -417,7 +446,8 @@
"date": "Discovered ~January 2012"
},
"description": "Citadel is an offspring of the Zeus banking trojan. Delivered primarily via exploit kits.",
"value": "Citadel"
"value": "Citadel",
"uuid": "9eb89081-3245-423a-995f-c1d78ce39619"
},
{
"meta": {
@ -428,7 +458,8 @@
"date": "Discovered ~spring 2016"
},
"description": "Atmos is derived from the Citadel banking trojan. Delivered primarily via exploit kits and malspam emails.",
"value": "Atmos"
"value": "Atmos",
"uuid": "ee021933-929d-4d6c-abca-5827cfb77289"
},
{
"meta": {
@ -438,7 +469,8 @@
"date": "Discovered ~Fall 2011"
},
"description": "Ice IX is a bot created using the source code of ZeuS 2.0.8.9. No major improvements compared to ZeuS 2.0.8.9.",
"value": "Ice IX"
"value": "Ice IX",
"uuid": "1d4a5704-c6fb-4bbb-92b2-88dc67f86339"
},
{
"meta": {
@ -448,7 +480,8 @@
"date": "Discovered ~end of 2010"
},
"description": "Zeus in the mobile. Banking trojan developed for mobile devices such as Windows Mobile, Blackberry and Android.",
"value": "Zitmo"
"value": "Zitmo",
"uuid": "3b1aff8f-647d-4709-aab0-6db1859c5f11"
},
{
"meta": {
@ -463,7 +496,8 @@
"date": "Discovered in 2010"
},
"description": "Banking trojan based on Zeus V2. Murofet is a newer version of Licat found ~end of 2011",
"value": "Licat"
"value": "Licat",
"uuid": "0b097926-2e1a-4134-8ab9-4c16d0cca0fc"
},
{
"meta": {
@ -473,7 +507,8 @@
"date": "Discovered end of 2012"
},
"description": "Skynet is a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities. Spread via USENET as per rapid7.",
"value": "Skynet"
"value": "Skynet",
"uuid": "f20791e4-26a7-45e0-90e6-709553b223b2"
},
{
"meta": {
@ -484,7 +519,8 @@
"date": "Discovered in September 2017"
},
"description": "According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.",
"value": "IcedID"
"value": "IcedID",
"uuid": "9d67069c-b778-486f-8158-53f5dcd05d08"
},
{
"value": "GratefulPOS",
@ -493,7 +529,8 @@
"refs": [
"https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season"
]
}
},
"uuid": "7d9362e5-e3cf-4640-88a2-3faf31952963"
},
{
"value": "Dok",
@ -502,20 +539,22 @@
"refs": [
"https://objective-see.com/blog/blog_0x25.html#Dok"
]
}
},
"uuid": "e159c4f8-3c22-49f9-a60a-16588a9c22b0"
},
{
"value": "downAndExec",
"description": "Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent “fileless” banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.",
"description": "Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent \u201cfileless\u201d banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.",
"meta": {
"refs": [
"https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/"
]
}
},
"uuid": "bfff538a-89dd-4bed-9ac1-b4faee373724"
},
{
"value": "Smominru",
"description": "Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miners use of Windows Management Infrastructure is unusual among coin mining malware.\nThe speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.",
"description": "Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miner\u2019s use of Windows Management Infrastructure is unusual among coin mining malware.\nThe speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as \u201chash power\u201d. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.",
"meta": {
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators"
@ -524,7 +563,8 @@
"Ismo",
"lsmo"
]
}
},
"uuid": "f93acc85-8d2c-41e0-b0c5-47795b8c6194"
}
],
"version": 7,

128
clusters/botnet.json
View File

@ -7,7 +7,8 @@
"refs": [
"https://www.bleepingcomputer.com/news/security/android-devices-targeted-by-new-monero-mining-botnet/"
]
}
},
"uuid": "6d7fc046-61c8-4f4e-add9-eebe5b5f4f69"
},
{
"value": "Bagle",
@ -22,11 +23,12 @@
"Lodeight"
],
"date": "2004"
}
},
"uuid": "d530ea76-9bbc-4276-a2e3-df04e0e5a14c"
},
{
"value": "Marina Botnet",
"description": "Around the same time Bagle was sending spam messages all over the world, the Marina Botnet quickly made a name for itself. With over 6 million bots pumping out spam emails every single day, it became apparent these “hacker tools” could get out of hand very quickly. At its peak, Marina Botnet delivered 92 billion spam emails per day.",
"description": "Around the same time Bagle was sending spam messages all over the world, the Marina Botnet quickly made a name for itself. With over 6 million bots pumping out spam emails every single day, it became apparent these \u201chacker tools\u201d could get out of hand very quickly. At its peak, Marina Botnet delivered 92 billion spam emails per day.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Botnet"
@ -38,7 +40,8 @@
"Hacktool.Spammer",
"Kraken"
]
}
},
"uuid": "7296f769-9bb7-474d-bbc7-5839f71d052a"
},
{
"value": "Torpig",
@ -52,7 +55,8 @@
"Anserin"
],
"date": "2005"
}
},
"uuid": "415a3667-4ac4-4718-a6ea-617540a4abb1"
},
{
"value": "Storm",
@ -69,7 +73,8 @@
"Ecard"
],
"date": "2007"
}
},
"uuid": "74ebec0c-6db3-47b9-9879-0d125e413e76"
},
{
"value": "Rustock",
@ -82,7 +87,8 @@
"Costrat"
],
"date": "2006"
}
},
"uuid": "9bca63cc-f0c7-4704-9c5f-b5bf473a9b43"
},
{
"value": "Donbot",
@ -94,7 +100,8 @@
"Buzus",
"Bachsoy"
]
}
},
"uuid": "27a7fd9b-ec9a-4f4a-b3f5-a3b81c71970a"
},
{
"value": "Cutwail",
@ -108,7 +115,8 @@
"Mutant"
],
"date": "2007"
}
},
"uuid": "35e25aad-7c39-4a1d-aa17-73fa638362e8"
},
{
"value": "Akbot",
@ -118,7 +126,8 @@
"https://en.wikipedia.org/wiki/Akbot"
],
"date": "2007"
}
},
"uuid": "6e1168e6-7768-4fa2-951f-6d6934531633"
},
{
"value": "Srizbi",
@ -132,7 +141,8 @@
"Exchanger"
],
"date": "March 2007"
}
},
"uuid": "6df98396-b52a-4f84-bec2-0060bc46bdbf"
},
{
"value": "Lethic",
@ -142,7 +152,8 @@
"https://en.wikipedia.org/wiki/Lethic_botnet"
],
"date": "2008"
}
},
"uuid": "a73e150f-1431-4f72-994a-4000405eff07"
},
{
"value": "Xarvester",
@ -154,7 +165,8 @@
"Rlsloup",
"Pixoliz"
]
}
},
"uuid": "e965dd3a-bfd9-4c88-b7a5-a8fc328ac859"
},
{
"value": "Sality",
@ -173,7 +185,8 @@
"Kukacka"
],
"date": "2008"
}
},
"uuid": "6fe5f49d-48b5-4dc2-92f7-8c94397b9c96"
},
{
"value": "Mariposa",
@ -183,7 +196,8 @@
"https://en.wikipedia.org/wiki/Mariposa_botnet"
],
"date": "2008"
}
},
"uuid": "f4878385-c6c7-4f6b-8637-08146841d2a2"
},
{
"value": "Conficker",
@ -199,7 +213,8 @@
"Kido"
],
"date": "November 2008"
}
},
"uuid": "ab49815e-8ba6-41ec-9f51-8a9587334069"
},
{
"value": "Waledac",
@ -213,7 +228,8 @@
"Waledpak"
],
"date": "November 2008"
}
},
"uuid": "4e324956-3177-4c8f-b0b6-e3bc4c3ede2f"
},
{
"value": "Maazben",
@ -222,7 +238,8 @@
"refs": [
"https://www.symantec.com/connect/blogs/evaluating-botnet-capacity"
]
}
},
"uuid": "a461f744-ab52-4a78-85e4-aedca1303a4c"
},
{
"value": "Onewordsub",
@ -230,11 +247,12 @@
"refs": [
"https://www.botnets.fr/wiki/OneWordSub"
]
}
},
"uuid": "4cc97d31-c9ab-4682-aae4-21dcbc02118f"
},
{
"value": "Gheg",
"description": "Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network).",
"description": "Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware \u2013 it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server \u2013 they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network).",
"meta": {
"refs": [
"https://www.cert.pl/en/news/single/tofsee-en/"
@ -243,7 +261,8 @@
"Tofsee",
"Mondera"
]
}
},
"uuid": "ca11e3f2-cda1-45dc-bed1-8708fa9e27a6"
},
{
"value": "Nucrypt",
@ -251,7 +270,8 @@
"refs": [
"https://www.botnets.fr/wiki.old/index.php?title=Nucrypt&setlang=en"
]
}
},
"uuid": "ec9917f4-006b-4a32-9a58-c03b5c85abe4"
},
{
"value": "Wopla",
@ -259,7 +279,8 @@
"refs": [
"https://www.botnets.fr/wiki.old/index.php/Wopla"
]
}
},
"uuid": "b2ec8e6b-414d-4d76-b51c-8ba3eee2918d"
},
{
"value": "Asprox",
@ -275,11 +296,12 @@
"Hydraflux"
],
"date": "2008"
}
},
"uuid": "0d58f329-1356-468c-88ab-e21fbb64c02b"
},
{
"value": "Spamthru",
"description": "Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor. Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machines processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.",
"description": "Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor. Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machine\u2019s processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.",
"meta": {
"refs": [
"http://www.root777.com/security/analysis-of-spam-thru-botnet/"
@ -289,7 +311,8 @@
"Covesmer",
"Xmiler"
]
}
},
"uuid": "3da8c2f9-dbbf-4825-9010-2261b2007d22"
},
{
"value": "Gumblar",
@ -299,7 +322,8 @@
"https://en.wikipedia.org/wiki/Gumblar"
],
"date": "2008"
}
},
"uuid": "5b83d0ac-3661-465e-b3ab-ca182d1eacad"
},
{
"value": "BredoLab",
@ -312,7 +336,8 @@
"synonyms": [
"Oficla"
]
}
},
"uuid": "65a30580-d542-4113-b00f-7fab98bd046c"
},
{
"value": "Grum",
@ -326,7 +351,8 @@
"Tedroo",
"Reddyb"
]
}
},
"uuid": "a2a601db-2ae7-4695-ac0c-0a3ea8822356"
},
{
"value": "Mega-D",
@ -338,7 +364,8 @@
"synonyms": [
"Ozdok"
]
}
},
"uuid": "c12537fc-1de5-4d12-ae36-649f32919059"
},
{
"value": "Kraken",
@ -350,7 +377,8 @@
"synonyms": [
"Kracken"
]
}
},
"uuid": "e721809b-2785-4ce3-b95a-7fde2762f736"
},
{
"value": "Festi",
@ -363,7 +391,8 @@
"synonyms": [
"Spamnost"
]
}
},
"uuid": "b76128e3-cea5-4df8-8d23-d9f3305e5a14"
},
{
"value": "Vulcanbot",
@ -373,7 +402,8 @@
"https://en.wikipedia.org/wiki/Vulcanbot"
],
"date": "March 2010"
}
},
"uuid": "dfd17a50-65df-4ddc-899e-1052e5001a1f"
},
{
"value": "LowSec",
@ -384,7 +414,8 @@
"FreeMoney",
"Ring0.Tools"
]
}
},
"uuid": "533e3474-d08d-4d02-8adc-3765750dd3a3"
},
{
"value": "TDL4",
@ -398,7 +429,8 @@
"TDSS",
"Alureon"
]
}
},
"uuid": "61a17703-7837-4cc9-b022-b5ed6b30efc1"
},
{
"value": "Zeus",
@ -415,7 +447,8 @@
"Gorhax",
"Kneber"
]
}
},
"uuid": "e878d24d-f122-48c4-930c-f6b6d5f0ee28"
},
{
"value": "Kelihos",
@ -428,7 +461,8 @@
"synonyms": [
"Hlux"
]
}
},
"uuid": "07b10419-e8b5-4b5f-a179-77fc9b127dc6"
},
{
"value": "Ramnit",
@ -438,7 +472,8 @@
"https://en.wikipedia.org/wiki/Botnet"
],
"date": "2011"
}
},
"uuid": "8ed81090-f098-4878-b87e-2d801b170759"
},
{
"value": "Zer0n3t",
@ -449,7 +484,8 @@
"Zer0n3t",
"Zer0Log1x"
]
}
},
"uuid": "417c36fb-fff7-40df-8387-07169113b9b4"
},
{
"value": "Chameleon",
@ -459,17 +495,19 @@
"https://en.wikipedia.org/wiki/Chameleon_botnet"
],
"date": "2012"
}
},
"uuid": "3084cd06-e415-4ff0-abd0-cf8fbf67c53c"
},
{
"value": "Mirai",
"description": "Mirai (Japanese for \"the future\", 未来) is a malware that turns networked devices running Linux into remotely controlled \"bots\" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs's web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.",
"description": "Mirai (Japanese for \"the future\", \u672a\u6765) is a malware that turns networked devices running Linux into remotely controlled \"bots\" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs's web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Mirai_(malware)"
],
"date": "August 2016"
}
},
"uuid": "fcdfd4af-da35-49a8-9610-19be8a487185"
},
{
"value": "Satori",
@ -482,13 +520,15 @@
"synonyms": [
"Okiru"
]
}
},
"uuid": "e77cf495-632a-4459-aad1-cdf29d73683f"
},
{
"value": "BetaBot",
"meta": {
"date": "April 2017"
}
},
"uuid": "3d7c771b-b175-41c9-8ba1-904ef29715fa"
}
],
"name": "Botnet",

45
clusters/branded_vulnerability.json
View File

@ -10,7 +10,8 @@
"logo": [
"https://upload.wikimedia.org/wikipedia/commons/thumb/5/56/Meltdown_with_text.svg/300px-Meltdown_with_text.svg.png"
]
}
},
"uuid": "70bee5b7-0fa3-4a4d-98ee-d8ab787c6db1"
},
{
"value": "Spectre",
@ -23,49 +24,53 @@
"logo": [
"https://en.wikipedia.org/wiki/File:Spectre_with_text.svg"
]
}
},
"uuid": "36168188-6d14-463a-9713-f88764a83329"
},
{
"value": "Heartbleed",
"description": "Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug's name derives from heartbeat. The vulnerability is classified as a buffer over-read,[5] a situation where more data can be read than should be allowed.",
"meta": {
"aliases": [
"CVE-20140160"
"CVE-2014\u20130160"
],
"logo": [
"https://upload.wikimedia.org/wikipedia/commons/thumb/d/dc/Heartbleed.svg/440px-Heartbleed.svg.png"
]
}
},
"uuid": "d6d85947-e6ee-4d2e-bb48-437f31c7a270"
},
{
"value": "Shellshock",
"description": "Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.",
"meta": {
"aliases": [
"CVE-20146271"
"CVE-2014\u20136271"
],
"logo": [
"https://upload.wikimedia.org/wikipedia/commons/thumb/4/44/Shellshock-bug.png/440px-Shellshock-bug.png",
"https://upload.wikimedia.org/wikipedia/commons/8/86/Shellshock.png",
"https://cdn-images-1.medium.com/max/1600/1*bopQcJtKouPOJ_isSzanLw.png"
]
}
},
"uuid": "2102db77-5a51-40c1-bfc1-38fb7dcb7f05"
},
{
"value": "Ghost",
"description": "The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.\nDuring a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.",
"meta": {
"aliases": [
"CVE-20150235"
"CVE-2015\u20130235"
],
"logo": [
"https://cdn-images-1.medium.com/max/1600/1*HnCEOo0RUT1fliJjRT02lA.png"
]
}
},
"uuid": "a1640081-aa8d-4070-84b2-d23e2ae82799"
},
{
"value": "Stagefright",
"description": "Stagefright is the name given to a group of software bugs that affect versions 2.2 (\"Froyo\") and newer of the Android operating system. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesnt have to do anything to accept the bug, it happens in the background. The phone number is the only target information.",
"description": "Stagefright is the name given to a group of software bugs that affect versions 2.2 (\"Froyo\") and newer of the Android operating system. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed\u2014the user doesn\u2019t have to do anything to \u2018accept\u2019 the bug, it happens in the background. The phone number is the only target information.",
"meta": {
"aliases": [
"CVE-2015-1538",
@ -81,7 +86,8 @@
"https://upload.wikimedia.org/wikipedia/en/f/f2/Stagefright_bug_logo.png",
"https://cdn-images-1.medium.com/max/1600/1*-Ivm3lZHNaOUwmklT4Rb1g.png"
]
}
},
"uuid": "352916e7-62bf-4b0c-bce7-da759d1a4f5f"
},
{
"value": "Badlock",
@ -91,7 +97,8 @@
"https://upload.wikimedia.org/wikipedia/commons/thumb/4/4b/Badlock_logo.svg/440px-Badlock_logo.svg.png",
"https://cdn-images-1.medium.com/max/1600/1*EVbwwxEBOU83NKxgQrPG9w.png"
]
}
},
"uuid": "74f2bd2c-69f1-4d28-8d42-94b7ef89f31e"
},
{
"value": "Dirty COW",
@ -103,31 +110,35 @@
"logo": [
"https://upload.wikimedia.org/wikipedia/commons/thumb/1/1b/DirtyCow.svg/440px-DirtyCow.svg.png"
]
}
},
"uuid": "54196537-cb0c-425c-83d6-437d41b4cc65"
},
{
"value": "POODLE",
"description": "The POODLE attack (which stands for \"Padding Oracle On Downgraded Legacy Encryptio\") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated \"September 2014\" ). Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.",
"description": "The POODLE attack (which stands for \"Padding Oracle On Downgraded Legacy Encryptio\") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo M\u00f6ller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated \"September 2014\" ). Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.",
"meta": {
"aliases": [
"CVE-2014-3566"
]
}
},
"uuid": "22b9af72-48c9-4da1-b13d-15667dbdd998"
},
{
"value": "BadUSB",
"description": "The BadUSB vulnerability exploits unprotected firmware in order to deliver malicious code to computers and networks. This is achieved by reverse-engineering the device and reprogramming it. As the reprogrammed firmware is not monitored or assessed by modern security software, this attack method is extremely difficult for antivirus/security software to detect and prevent."
"description": "The \u2018BadUSB\u2019 vulnerability exploits unprotected firmware in order to deliver malicious code to computers and networks. This is achieved by reverse-engineering the device and reprogramming it. As the reprogrammed firmware is not monitored or assessed by modern security software, this attack method is extremely difficult for antivirus/security software to detect and prevent.",
"uuid": "bc3a3299-1443-4390-8b25-4bb280c1abd7"
},
{
"value": "ImageTragick",
"meta": {
"aliases": [
"CVE-20163714"
"CVE-2016\u20133714"
],
"logo": [
"https://imagetragick.com/img/logo-medium.png"
]
}
},
"uuid": "e85e1270-eec5-4331-8004-a063125a54b4"
}
],
"version": 1,

18
clusters/cert-eu-govsector.json
View File

@ -1,22 +1,28 @@
{
"values": [
{
"value": "Constituency"
"value": "Constituency",
"uuid": "8ebd301f-067f-499d-8718-f63c8ced73ac"
},
{
"value": "EU-Centric"
"value": "EU-Centric",
"uuid": "bf3fd6a1-692e-4d77-b17d-496f71eebac9"
},
{
"value": "EU-nearby"
"value": "EU-nearby",
"uuid": "536dada1-30e5-453a-9611-33597ab5c373"
},
{
"value": "World-class"
"value": "World-class",
"uuid": "8024aa5d-d0b0-4114-87c9-92e358c96850"
},
{
"value": "Unknown"
"value": "Unknown",
"uuid": "32f8b3dd-defc-47c8-a070-378f5e0e1be8"
},
{
"value": "Outside World"
"value": "Outside World",
"uuid": "adc80f46-86ef-4de8-95d1-15c45c15d002"
}
],
"version": 1,

131
clusters/exploit-kit.json
View File

@ -12,14 +12,16 @@
"Stegano EK"
],
"status": "Active"
}
},
"uuid": "e9ca60cd-94fc-4a54-ac98-30e675a46b3e"
},
{
"value": "Bingo",
"description": "Bingo EK is the name chosen by the defense for a Fiesta-ish EK first spotted in March 2017 and targetting at that times mostly Russia",
"meta": {
"status": "Active"
}
},
"uuid": "9e864c01-3d9e-4b8d-811e-46471ff866e9"
},
{
"value": "Terror EK",
@ -33,11 +35,12 @@
"Neptune EK"
],
"status": "Active"
}
},
"uuid": "f15f9264-854e-4e25-8641-cde2faeb86e9"
},
{
"value": "DealersChoice",
"description": "DealersChoice is a Flash Player Exploit platform triggered by RTF.\n\nDealersChoice is a platform that generates malicious documents containing embedded Adobe Flash files. Palo Alto Network researchers analyzed two variants — variant A, which is a standalone variant including Flash exploit code packaged with a payload, and variant B, which is a modular variant that loads exploit code on demand. This new component appeared in 2016 and is still in use.",
"description": "DealersChoice is a Flash Player Exploit platform triggered by RTF.\n\nDealersChoice is a platform that generates malicious documents containing embedded Adobe Flash files. Palo Alto Network researchers analyzed two variants\u2009\u2014\u2009variant A, which is a standalone variant including Flash exploit code packaged with a payload, and variant B, which is a modular variant that loads exploit code on demand. This new component appeared in 2016 and is still in use.",
"meta": {
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/",
@ -48,7 +51,8 @@
"Sednit RTF EK"
],
"status": "Active"
}
},
"uuid": "0f116533-a755-4cfc-815a-fa6bcb85efb7"
},
{
"value": "DNSChanger",
@ -62,7 +66,8 @@
"RouterEK"
],
"status": "Active"
}
},
"uuid": "74fb6a14-1279-4a5b-939a-76478d36d3e1"
},
{
"value": "Disdain",
@ -72,7 +77,8 @@
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-disdain-exploit-kit-detected-wild/"
],
"status": "Active"
}
},
"uuid": "1ded776d-6772-4cc8-a27f-f61e24a58d96"
},
{
"value": "Kaixin",
@ -86,7 +92,8 @@
"CK vip"
],
"status": "Active"
}
},
"uuid": "e6c1cfcf-3e37-4f5a-9494-989dd8c43d88"
},
{
"value": "Magnitude",
@ -103,7 +110,8 @@
"TopExp"
],
"status": "Active"
}
},
"uuid": "6a313e11-5bb2-40ed-8cde-9de768b783b1"
},
{
"value": "MWI",
@ -114,7 +122,8 @@
"https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf"
],
"status": "Active"
}
},
"uuid": "489acbf2-d80b-4bb5-ac7d-c8573dcb6324"
},
{
"value": "RIG",
@ -133,7 +142,8 @@
"Meadgive"
],
"status": "Active"
}
},
"uuid": "0545e5c0-ed0d-4a02-a69d-31e9e2b31e8a"
},
{
"value": "Sednit EK",
@ -147,7 +157,8 @@
"SedKit"
],
"status": "Active"
}
},
"uuid": "c8b9578a-78be-420c-a29b-9214d09685c8"
},
{
"value": "Sundown-P",
@ -161,7 +172,8 @@
"CaptainBlack"
],
"status": "Active"
}
},
"uuid": "3235ae90-598b-45dc-b336-852817b271a8"
},
{
"value": "Bizarro Sundown",
@ -175,7 +187,8 @@
"Sundown-b"
],
"status": "Retired"
}
},
"uuid": "ef3b170e-3fbe-420b-b202-4689da137c50"
},
{
"value": "Hunter",
@ -188,7 +201,8 @@
"3ROS Exploit Kit"
],
"status": "Retired - Last seen 2017-02-06"
}
},
"uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c"
},
{
"value": "GreenFlash Sundown",
@ -201,7 +215,8 @@
"Sundown-GF"
],
"status": "Active"
}
},
"uuid": "6e5c0dbb-fb0b-45ea-ac6c-bb6d8324bbd2"
},
{
"value": "Angler",
@ -218,7 +233,8 @@
"Axpergle"
],
"status": "Retired - Last seen: 2016-06-07"
}
},
"uuid": "5daf41c7-b297-4228-85d1-eb040d5b7c90"
},
{
"value": "Archie",
@ -228,7 +244,8 @@
"https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit"
],
"status": "Retired"
}
},
"uuid": "2756caae-d2c5-4170-9e76-2b7f1b1fccb1"
},
{
"value": "BlackHole",
@ -242,7 +259,8 @@
"BHEK"
],
"status": "Retired - Last seen: 2013-10-07"
}
},
"uuid": "e6201dc3-01a7-40c5-ba72-02fa470ada53"
},
{
"value": "Bleeding Life",
@ -257,7 +275,8 @@
"BL2"
],
"status": "Retired"
}
},
"uuid": "5abe6240-dce2-4455-8125-ddae2e651243"
},
{
"value": "Cool",
@ -273,7 +292,8 @@
"Styxy Cool"
],
"status": "Retired - Last seen: 2013-10-07"
}
},
"uuid": "9bb229b0-80f9-48e5-b8fb-00ee7af070cb"
},
{
"value": "Fiesta",
@ -288,7 +308,8 @@
"Fiexp"
],
"status": "Retired - Last Seen: beginning of 2015-07"
}
},
"uuid": "f50f860a-d795-4f4e-a170-8190f65499ad"
},
{
"value": "Empire",
@ -301,7 +322,8 @@
"RIG-E"
],
"status": "Retired - Last seen: 2016-12-29"
}
},
"uuid": "6eb15569-4ddd-4820-9a44-7bca5b303b86"
},
{
"value": "FlashPack",
@ -318,7 +340,8 @@
"Vintage Pack"
],
"status": "Retired - Last seen: middle of 2015-04"
}
},
"uuid": "55a30ccc-8905-4af2-a498-5c0010815cc1"
},
{
"value": "GrandSoft",
@ -334,7 +357,8 @@
"SofosFO"
],
"status": "Active"
}
},
"uuid": "180b6969-2aca-4642-b684-b57db8f0eff8"
},
{
"value": "HanJuan",
@ -347,7 +371,8 @@
"https://twitter.com/kafeine/status/562575744501428226"
],
"status": "Retired - Last seen: 2015-07"
}
},
"uuid": "886abdc6-db1a-4fc5-afe0-e17d65a83614"
},
{
"value": "Himan",
@ -360,7 +385,8 @@
"High Load"
],
"status": "Retired - Last seen: 2014-04"
}
},
"uuid": "3d0cb558-7f04-4be8-963e-5f137566b07b"
},
{
"value": "Impact",
@ -370,7 +396,8 @@
"http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html"
],
"status": "Retired"
}
},
"uuid": "319357b4-3041-4a71-89c5-51be08041d1b"
},
{
"value": "Infinity",
@ -385,7 +412,8 @@
"Goon"
],
"status": "Retired - Last seen: 2014-07"
}
},
"uuid": "4b858835-7b31-4b94-8144-b5175da1551f"
},
{
"value": "Lightsout",
@ -397,7 +425,8 @@
"http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html"
],
"status": "Unknown - Last seen: 2014-03"
}
},
"uuid": "244c05f8-1a2f-47fb-9dcf-2eaa99ab6aa1"
},
{
"value": "Nebula",
@ -407,7 +436,8 @@
"http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html"
],
"status": "Retired - Last seen 2017-03-09"
}
},
"uuid": "4ca96067-8fdd-4b48-bd34-d2e175e27bad"
},
{
"value": "Neutrino",
@ -423,7 +453,8 @@
"Neutrino-v"
],
"status": "Retired - Last seen 2017-04-10"
}
},
"uuid": "218ae39b-2f92-4355-91c6-50cce319d26d"
},
{
"value": "Niteris",
@ -437,7 +468,8 @@
"CottonCastle"
],
"status": "Unknown - Last seen: 2015-11"
}
},
"uuid": "b344133f-e223-4fda-8fb2-88ad7999e549"
},
{
"value": "Nuclear",
@ -453,7 +485,8 @@
"Neclu"
],
"status": "Retired - Last seen: 2015-04-30"
}
},
"uuid": "e7c516f9-5222-4f0d-b80b-ae9f4c24583d"
},
{
"value": "Phoenix",
@ -467,7 +500,8 @@
"PEK"
],
"status": "Retired"
}
},
"uuid": "0df2c7a6-046f-4489-8c77-0999c92c839d"
},
{
"value": "Private Exploit Pack",
@ -481,7 +515,8 @@
"PEP"
],
"status": "Retired"
}
},
"uuid": "cfd0a4af-f559-496f-b56b-97145ea4e4c3"
},
{
"value": "Redkit",
@ -493,7 +528,8 @@
"https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/"
],
"status": "Retired"
}
},
"uuid": "6958ff90-75e8-47ee-ab07-daa8d487130c"
},
{
"value": "Sakura",
@ -503,7 +539,8 @@
"http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html"
],
"status": "Retired - Last seen: 2013-09"
}
},
"uuid": "12af9112-3ac5-4422-858e-a22c293c6117"
},
{
"value": "SPL",
@ -518,7 +555,8 @@
"SPLNet",
"SPL2"
]
}
},
"uuid": "15936d30-c151-4051-835e-df327143ce76"
},
{
"value": "Sundown",
@ -535,7 +573,8 @@
],
"status": "Retired - Last seen 2017-03-08",
"colour": "#C03701"
}
},
"uuid": "670e28c4-001a-4ba4-b276-441620225123"
},
{
"value": "Sweet-Orange",
@ -549,7 +588,8 @@
"Anogre"
],
"status": "Retired - Last seen: 2015-04-05"
}
},
"uuid": "222bc508-4d8d-4972-9cac-65192cfefd43"
},
{
"value": "Styx",
@ -561,7 +601,8 @@
"http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html"
],
"status": "Retired - Last seen: 2014-06"
}
},
"uuid": "006eaa87-e8a6-4808-93ff-302b52c628b0"
},
{
"value": "WhiteHole",
@ -571,7 +612,8 @@
"http://malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html"
],
"status": "Retired - Last seen: 2013-12"
}
},
"uuid": "570bc715-7fe8-430b-bd2e-5512c95f2370"
},
{
"value": "Unknown",
@ -582,7 +624,8 @@
"https://twitter.com/node5",
"https://twitter.com/kahusecurity"
]
}
},
"uuid": "00815961-3249-4e2e-9421-bb57feb73bb2"
}
],
"version": 6,

39
clusters/microsoft-activity-group.json
View File

@ -15,8 +15,9 @@
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
},
"description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.",
"value": "PROMETHIUM"
"description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features\u2014this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.",
"value": "PROMETHIUM",
"uuid": "5744f91a-d2d8-4f92-920f-943dd80c578f"
},
{
"meta": {
@ -24,8 +25,9 @@
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
},
"description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoors characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.",
"value": "NEODYMIUM"
"description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor\u2019s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.",
"value": "NEODYMIUM",
"uuid": "47b5007a-3fb1-466a-9578-629e6e735493"
},
{
"meta": {
@ -34,7 +36,8 @@
]
},
"description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.",
"value": "TERBIUM"
"value": "TERBIUM",
"uuid": "99784b80-6298-45ba-885c-0ed37bfd8324"
},
{
"meta": {
@ -57,8 +60,9 @@
"Grey-Cloud"
]
},
"description": "STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims computer. ",
"value": "STRONTIUM"
"description": "STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims\u2019 computer. ",
"value": "STRONTIUM",
"uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec"
},
{
"description": "DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.",
@ -73,17 +77,19 @@
"synonyms": [
"darkhotel"
]
}
},
"uuid": "b56af6ab-69f8-457a-bf50-c3aefa6dc14a"
},
{
"description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The groups persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.",
"description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group\u2019s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.",
"value": "PLATINUM",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/",
"http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf"
]
}
},
"uuid": "154e97b5-47ef-415a-99a6-2157f1b50339"
},
{
"meta": {
@ -91,8 +97,9 @@
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
]
},
"description": "Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.",
"value": "BARIUM"
"description": "Microsoft Threat Intelligence associates Winnti with multiple activity groups\u2014collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims\u2014particularly those working in Business Development or Human Resources\u2014on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant\u2014notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.",
"value": "BARIUM",
"uuid": "cc70bdbd-afa7-4e19-bba2-2443811ef3af"
},
{
"meta": {
@ -100,8 +107,9 @@
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
]
},
"description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEADs victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEADs objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEADs attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.",
"value": "LEAD"
"description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEAD\u2019s victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEAD\u2019s objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEAD\u2019s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.",
"value": "LEAD",
"uuid": "f542442e-ba0f-425d-b386-6c10351a468e"
},
{
"meta": {
@ -110,7 +118,8 @@
]
},
"description": "In addition to strengthening generic detection of EoP exploits, Microsoft security researchers are actively gathering threat intelligence and indicators attributable to ZIRCONIUM, the activity group using the CVE-2017-0005 exploit. ",
"value": "ZIRCONIUM"
"value": "ZIRCONIUM",
"uuid": "2d19c573-252b-49d8-8c2e-3b529b91e72d"
}
]
}

54
clusters/preventive-measure.json
View File

@ -13,7 +13,8 @@
]
},
"value": "Backup and Restore Process",
"description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore"
"description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schr\u00f6dinger's backup - it is both existent and non-existent until you've tried a restore",
"uuid": "5f942376-ea5b-4b23-9c26-81d3aeba7fb4"
},
{
"meta": {
@ -29,7 +30,8 @@
]
},
"value": "Block Macros",
"description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros"
"description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros",
"uuid": "79563662-8d92-4fd1-929a-9b8926a62685"
},
{
"meta": {
@ -45,7 +47,8 @@
"possible_issues": "Administrative VBS scripts on Workstations"
},
"value": "Disable WSH",
"description": "Disable Windows Script Host"
"description": "Disable Windows Script Host",
"uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f"
},
{
"meta": {
@ -57,7 +60,8 @@
]
},
"value": "Filter Attachments Level 1",
"description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub"
"description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub",
"uuid": "7055b72b-b113-4f93-8387-e6f58ce5fc92"
},
{
"meta": {
@ -70,7 +74,8 @@
"possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) "
},
"value": "Filter Attachments Level 2",
"description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm"
"description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm",
"uuid": "8c9bbbf5-a321-4eb1-8c03-a399a9687687"
},
{
"meta": {
@ -87,7 +92,8 @@
"possible_issues": "Web embedded software installers"
},
"value": "Restrict program execution",
"description": "Block all program executions from the %LocalAppData% and %AppData% folder"
"description": "Block all program executions from the %LocalAppData% and %AppData% folder",
"uuid": "6a234b1d-8e86-49c4-91d6-cc3be3d04f74"
},
{
"meta": {
@ -102,7 +108,8 @@
]
},
"value": "Show File Extensions",
"description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")"
"description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")",
"uuid": "5b911d46-66c8-4180-ab97-663a0868264e"
},
{
"meta": {
@ -118,7 +125,8 @@
"possible_issues": "administrator resentment"
},
"value": "Enforce UAC Prompt",
"description": "Enforce administrative users to confirm an action that requires elevated rights"
"description": "Enforce administrative users to confirm an action that requires elevated rights",
"uuid": "3f8c55db-611e-4831-b624-f9cbdc3b0e11"
},
{
"meta": {
@ -131,7 +139,8 @@
"possible_issues": "Higher administrative costs"
},
"value": "Remove Admin Privileges",
"description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to."
"description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.",
"uuid": "168f94d3-4ffc-4ea6-8f2e-8ba699f0fef6"
},
{
"meta": {
@ -143,7 +152,8 @@
]
},
"value": "Restrict Workstation Communication",
"description": "Activate the Windows Firewall to restrict workstation to workstation communication"
"description": "Activate the Windows Firewall to restrict workstation to workstation communication",
"uuid": "fb25c345-0cee-4ae7-ab31-c1c801cde1c2"
},
{
"meta": {
@ -154,7 +164,8 @@
]
},
"value": "Sandboxing Email Input",
"description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis"
"description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis",
"uuid": "7960740f-71a5-42db-8a1a-1c7ccbf83349"
},
{
"meta": {
@ -165,7 +176,8 @@
]
},
"value": "Execution Prevention",
"description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor"
"description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor",
"uuid": "bfda0c9e-1303-4861-b028-e0506dd8861c"
},
{
"meta": {
@ -181,7 +193,8 @@
"possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts."
},
"value": "Change Default \"Open With\" to Notepad",
"description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer"
"description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer",
"uuid": "3b7bc1b2-e04f-4492-b3b1-87bb6701635b"
},
{
"meta": {
@ -196,7 +209,8 @@
]
},
"value": "File Screening",
"description": "Server-side file screening with the help of File Server Resource Manager"
"description": "Server-side file screening with the help of File Server Resource Manager",
"uuid": "79769940-7cd2-4aaa-80da-b90c0372b898"
},
{
"meta": {
@ -213,7 +227,8 @@
"possible_issues": "Configure & test extensively"
},
"value": "Restrict program execution #2",
"description": "Block program executions (AppLocker)"
"description": "Block program executions (AppLocker)",
"uuid": "feb6cddb-4182-4515-94dc-0eadffcdc098"
},
{
"meta": {
@ -229,7 +244,8 @@
]
},
"value": "EMET",
"description": "Detect and block exploitation techniques"
"description": "Detect and block exploitation techniques",
"uuid": "5f0a749f-88f2-4e6e-8fd8-46307f8439f6"
},
{
"meta": {
@ -244,7 +260,8 @@
]
},
"value": "Sysmon",
"description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring"
"description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring",
"uuid": "1b1e5664-4250-459b-adbb-f0b33f64bf7e"
},
{
"value": "Blacklist-phone-numbers",
@ -256,7 +273,8 @@
"effectiveness": "Medium",
"impact": "Medium",
"complexity": "Low"
}
},
"uuid": "123e20c5-8f44-4de5-a183-6890788e5a81"
}
],
"name": "Preventive Measure",

1865
clusters/ransomware.json
View File

File diff suppressed because it is too large Load Diff

736
clusters/rat.json
View File

File diff suppressed because it is too large Load Diff

357
clusters/sector.json
View File

@ -1,361 +1,480 @@
{
"values": [
{
"value": "Unknown"
"value": "Unknown",
"uuid": "3ff4e243-7e26-4535-b911-fdda2f724aa2"
},
{
"value": "Other"
"value": "Other",
"uuid": "03655488-3d11-4fbf-8fe6-6148aaa01b83"
},
{
"value": "Academia - University"
"value": "Academia - University",
"uuid": "98821a86-3c11-474b-afab-3c84af061407"
},
{
"value": "Activists"
"value": "Activists",
"uuid": "0a62f502-0a51-44ac-82a3-0a965b98c7a9"
},
{
"value": "Aerospace"
"value": "Aerospace",
"uuid": "12f90076-f03d-4a2d-9f33-7a274dc462bb"
},
{
"value": "Agriculture"
"value": "Agriculture",
"uuid": "e2214f48-0cdd-4110-ba59-e703282adf2c"
},
{
"value": "Arts"
"value": "Arts",
"uuid": "b5283132-9245-4a5f-b4bc-1937fd80d80a"
},
{
"value": "Bank"
"value": "Bank",
"uuid": "19cc9f22-e682-4808-a96c-82e573703dff"
},
{
"value": "Chemical"
"value": "Chemical",
"uuid": "306f828d-8eb8-4adb-bee9-3211bf2a4ff7"
},
{
"value": "Citizens"
"value": "Citizens",
"uuid": "f50c1d4d-9d7c-4076-b5d4-e86dd5de4628"
},
{
"value": "Civil Aviation"
"value": "Civil Aviation",
"uuid": "ed13b6c9-c32c-4a58-82a7-ce64dc7fa086"
},
{
"value": "Country"
"value": "Country",
"uuid": "89e7e93a-394f-48e3-ba70-501df2f010c0"
},
{
"value": "Culture"
"value": "Culture",
"uuid": "8c645d4e-8fcc-48a8-9656-5135cfbc10a6"
},
{
"value": "Data Broker"
"value": "Data Broker",
"uuid": "0a2c80eb-ae5d-4d5e-b6fd-2703bc6a750d"
},
{
"value": "Defense"
"value": "Defense",
"uuid": "9df5fb28-2298-4030-9db3-8cdef35bee14"
},
{
"value": "Development"
"value": "Development",
"uuid": "96b329b2-2f04-4ce7-8ef2-bf3d898028c9"
},
{
"value": "Diplomacy"
"value": "Diplomacy",
"uuid": "33cbaf17-7600-47f7-87c7-39640874a1b4"
},
{
"value": "Education"
"value": "Education",
"uuid": "19eca562-123d-449b-af33-5a36e5279b12"
},
{
"value": "Electric"
"value": "Electric",
"uuid": "ac2dad84-5194-41bb-9edd-aad8d42f828f"
},
{
"value": "Electronic"
"value": "Electronic",
"uuid": "04e0eef9-d7e8-4280-86bb-cc9897be8e08"
},
{
"value": "Employment"
"value": "Employment",
"uuid": "474e6647-ff06-4a9b-8061-a1a43baf8b15"
},
{
"value": "Energy"
"value": "Energy",
"uuid": "3a94474b-7e23-4e06-9129-faea7ef55af8"
},
{
"value": "Entertainment"
"value": "Entertainment",
"uuid": "beb9d5d6-53df-4e99-8fa8-e52880fbe740"
},
{
"value": "Environment"
"value": "Environment",
"uuid": "8291a998-e888-4351-87ec-c6da6b06bff6"
},
{
"value": "Finance"
"value": "Finance",
"uuid": "75597b7f-54e8-4f14-88c9-e81485ece483"
},
{
"value": "Food"
"value": "Food",
"uuid": "9ade7eff-e2ce-4f05-85de-bb6b70444db4"
},
{
"value": "Game"
"value": "Game",
"uuid": "64493b1b-04eb-4f4d-94c7-65c3713131de"
},
{
"value": "Gas"
"value": "Gas",
"uuid": "851c28c6-2e80-4d63-959b-44037931175b"
},
{
"value": "Government, Administration"
"value": "Government, Administration",
"uuid": "6012ecea-dcc8-490c-b368-e2e06b2cb62f"
},
{
"value": "Health"
"value": "Health",
"uuid": "4649fe79-cb8f-4aa3-b3e0-e67d4161fcb0"
},
{
"value": "Higher education"
"value": "Higher education",
"uuid": "b822d660-fad3-40da-b4db-9bbf8fe23b27"
},
{
"value": "Hotels"
"value": "Hotels",
"uuid": "909f4de6-91ea-44b6-9c8f-5983fd4877c2"
},
{
"value": "Infrastructure"
"value": "Infrastructure",
"uuid": "641af156-12d0-4fb4-b89d-971cd454914f"
},
{
"value": "Intelligence"
"value": "Intelligence",
"uuid": "7aeb79bf-cc1a-49b5-b2ec-5b1fe4a7e295"
},
{
"value": "IT"
"value": "IT",
"uuid": "3f18e5e7-c77d-4890-9d09-412a39a822e5"
},
{
"value": "IT - Hacker"
"value": "IT - Hacker",
"uuid": "342d0a71-584c-4e3f-9b2d-1dc5b5e53e97"
},
{
"value": "IT - ISP"
"value": "IT - ISP",
"uuid": "872de996-e069-4cd9-b227-d5ca01dc020c"
},
{
"value": "IT - Security"
"value": "IT - Security",
"uuid": "6d9dbde3-25de-48b9-ab98-361c4211e6be"
},
{
"value": "Justice"
"value": "Justice",
"uuid": "784e59ae-89bb-4bc8-82c8-7fab6ca5fb8a"
},
{
"value": "Manufacturing"
"value": "Manufacturing",
"uuid": "5cacd8fb-a3d4-4ed7-84b5-d69378038591"
},
{
"value": "Maritime"
"value": "Maritime",
"uuid": "82ac6245-8691-4216-a6dd-8c99ebb8ce51"
},
{
"value": "Military"
"value": "Military",
"uuid": "5aec0d78-53b2-4fcf-b165-537494b866e4"
},
{
"value": "Multi-sector"
"value": "Multi-sector",
"uuid": "e10093ef-ccbf-4c24-9093-61e856c05ccd"
},
{
"value": "News - Media"
"value": "News - Media",
"uuid": "a0499041-2b4e-43aa-8fe3-04c2de23abdd"
},
{
"value": "NGO"
"value": "NGO",
"uuid": "d2f31b1f-a9b1-4f5b-b2b3-1aa2732a0608"
},
{
"value": "Oil"
"value": "Oil",
"uuid": "5875cc3f-d0a5-445e-abb2-08411fc82522"
},
{
"value": "Payment"
"value": "Payment",
"uuid": "0d688425-afb5-4f71-8b5a-f9be7d2d1551"
},
{
"value": "Pharmacy"
"value": "Pharmacy",
"uuid": "8d7aa230-d07f-46e8-a099-6f1753793b84"
},
{
"value": "Police - Law enforcement"
"value": "Police - Law enforcement",
"uuid": "36432a96-225a-4c90-b0f5-44eaee45e306"
},
{
"value": "Research - Innovation"
"value": "Research - Innovation",
"uuid": "738939b4-c93f-4972-938a-7eb1f60188b9"
},
{
"value": "Satellite navigation"
"value": "Satellite navigation",
"uuid": "40082760-ed9e-4fcb-8bfa-2341d81d5e22"
},
{
"value": "Security systems"
"value": "Security systems",
"uuid": "23429f36-298a-4ac6-8db9-87223bef9cbf"
},
{
"value": "Social networks"
"value": "Social networks",
"uuid": "61809257-9f13-4910-b824-f483c4334bb5"
},
{
"value": "Space"
"value": "Space",
"uuid": "595be3ad-bfb3-4bea-b81a-2fef618a1075"
},
{
"value": "Steel"
"value": "Steel",
"uuid": "cdc8b76f-a8df-4d30-81c1-bdb4935c718d"
},
{
"value": "Telecoms"
"value": "Telecoms",
"uuid": "0de938bd-4efa-4c7a-9244-71a79317d142"
},
{
"value": "Think Tanks"
"value": "Think Tanks",
"uuid": "3c70895b-573b-450c-ad0a-98b0e1a9741e"
},
{
"value": "Trade"
"value": "Trade",
"uuid": "4fef12b1-0bee-4855-81fb-9b7d2c5a1dec"
},
{
"value": "Transport"
"value": "Transport",
"uuid": "e93eb8db-72b1-4407-be3e-8cfea8f9efee"
},
{
"value": "Travel"
"value": "Travel",
"uuid": "33a4f4fe-9bc3-4d43-b5ab-64fcc35882cf"
},
{
"value": "Turbine"
"value": "Turbine",
"uuid": "69b8bfcd-600e-45d8-962a-ce09ed0914ab"
},
{
"value": "Tourism"
"value": "Tourism",
"uuid": "bf0753fd-cb62-440d-a2c5-1adfb037676e"
},
{
"value": "Life science"
"value": "Life science",
"uuid": "87eae00d-b973-46db-83a2-1f520aebcd44"
},
{
"value": "Biomedical"
"value": "Biomedical",
"uuid": "58282b0e-10d4-4294-8845-6f41a1e79730"
},
{
"value": "High tech"
"value": "High tech",
"uuid": "cd4dfa11-5f4a-4d02-a2cc-35603261e631"
},
{
"value": "Opposition"
"value": "Opposition",
"uuid": "18daafae-a923-4cf5-bf87-d8b35dd297e2"
},
{
"value": "Political party"
"value": "Political party",
"uuid": "a93f281c-1fb4-471d-88ba-dfe5f3af13ff"
},
{
"value": "Hospitality"
"value": "Hospitality",
"uuid": "d1aa1165-981a-4d9f-aece-c130c5034e1b"
},
{
"value": "Automotive"
"value": "Automotive",
"uuid": "79e7755d-d7fa-4bbc-b956-e296c614745e"
},
{
"value": "Metal"
"value": "Metal",
"uuid": "3a7dae7d-2590-4e80-9c13-c22048a09f8a"
},
{
"value": "Railway"
"value": "Railway",
"uuid": "02847338-fe03-4073-9f5b-c6fedc244b04"
},
{
"value": "Water"
"value": "Water",
"uuid": "26282f7e-8db4-4369-8af1-3981f6a93350"
},
{
"value": "Smart meter"
"value": "Smart meter",
"uuid": "62487559-c0e5-4250-af48-d43fa2e61b82"
},
{
"value": "Retai"
"value": "Retai",
"uuid": "a26ae91b-df10-4c6f-b7bc-14c7ba13f21d"
},
{
"value": "Retail"
"value": "Retail",
"uuid": "6ce2374c-2c81-4298-a941-666bf4258c00"
},
{
"value": "Technology"
"value": "Technology",
"uuid": "ff403f0f-67d0-494c-aff9-1d748b7e7d8d"
},
{
"value": "engineering"
"value": "engineering",
"uuid": "e07cd84c-1d66-4de3-8b93-15fa93f119cc"
},
{
"value": "Mining"
"value": "Mining",
"uuid": "7508db07-ffd1-4137-9941-718f18370c4c"
},
{
"value": "Sport"
"value": "Sport",
"uuid": "e8355f07-48c7-497b-9a14-3c2a6325ef3d"
},
{
"value": "Restaurant"
"value": "Restaurant",
"uuid": "5eee85f4-f8dc-4dea-9ba2-af1e9f957097"
},
{
"value": "Semi-conductors"
"value": "Semi-conductors",
"uuid": "5b9bb2f4-3e03-46b9-ab65-a7f99b726a32"
},
{
"value": "Insurance"
"value": "Insurance",
"uuid": "c4f35266-0f80-4948-9c0a-f4681ed0d507"
},
{
"value": "Legal"
"value": "Legal",
"uuid": "94a7ffd4-d2e4-4324-be71-f274e84de089"
},
{
"value": "Shipping"
"value": "Shipping",
"uuid": "64483d7b-71a4-4130-803e-2c614a098d8b"
},
{
"value": "Logistic"
"value": "Logistic",
"uuid": "934bc859-ebc4-48d7-adb7-5accd4f0f965"
},
{
"value": "Construction"
"value": "Construction",
"uuid": "4b5c230d-70b8-4748-a27c-bec121c436d8"
},
{
"value": "Industrial"
"value": "Industrial",
"uuid": "3153215a-784d-478e-a147-3410a5b43b39"
},
{
"value": "Communication equipment"
"value": "Communication equipment",
"uuid": "f4e11fd2-f2a2-4d09-8ed4-7ef978ccc03b"
},
{
"value": "Security Service"
"value": "Security Service",
"uuid": "886e517c-0331-445e-9c4b-ebe08aeb01cd"
},
{
"value": "Tax firm"
"value": "Tax firm",
"uuid": "138159c5-0b29-46a5-91e2-fe01f7e7111d"
},
{
"value": "Television broadcast"
"value": "Television broadcast",
"uuid": "13fe4a5d-8d86-4875-b763-02bc5705810f"
},
{
"value": "Separatists"
"value": "Separatists",
"uuid": "d6335a0a-dfa2-4150-804b-86d06139e38a"
},
{
"value": "Dissidents"
"value": "Dissidents",
"uuid": "c2f32e7c-6162-4999-ac3b-356007446d18"
},
{
"value": "Digital services"
"value": "Digital services",
"uuid": "5a9da7ef-57b8-4a22-88be-b8b6556fd447"
},
{
"value": "Digital infrastructure"
"value": "Digital infrastructure",
"uuid": "a10c2362-3ee9-4741-b5a5-c2fd1c7c730f"
},
{
"value": "Security actors"
"value": "Security actors",
"uuid": "0904672b-c18a-450e-88d6-6a94dd0eb25a"
},
{
"value": "eCommerce"
"value": "eCommerce",
"uuid": "7e1ec8ba-24c4-4ad4-a596-7532ecbd0fbd"
},
{
"value": "Islamic forums"
"value": "Islamic forums",
"uuid": "c529331a-e2a9-4ba9-bb92-d4f88ae3704b"
},
{
"value": "Journalist"
"value": "Journalist",
"uuid": "ea95dce2-c2fc-48cb-95c7-d9200811f030"
},
{
"value": "Streaming service"
"value": "Streaming service",
"uuid": "2287c024-9643-43ef-8776-858d3994b9ac"
},
{
"value": "Puplishing industry"
"value": "Puplishing industry",
"uuid": "97e018e8-e03b-48ff-8add-1059f035069a"
},
{
"value": "Publishing industry"
"value": "Publishing industry",
"uuid": "867cbcb3-8baa-476f-bec5-ceb36e9b1e09"
},
{
"value": "Islamic organisation"
"value": "Islamic organisation",
"uuid": "3929f589-ac94-4a6a-8360-122e06484db8"
},
{
"value": "Casino"
"value": "Casino",
"uuid": "2e7ad54f-7637-4268-a9b9-cb2975d6bab9"
},
{
"value": "Consulting"
"value": "Consulting",
"uuid": "87ad7866-bdfa-4a22-a4f3-c411fecb1d0d"
},
{
"value": "Online marketplace"
"value": "Online marketplace",
"uuid": "737a196b-7bab-460b-b199-d6626fca1af1"
},
{
"value": "DNS service provider"
"value": "DNS service provider",
"uuid": "e48c0afc-afab-4ced-9a8b-a28d4a2efa08"
},
{
"value": "Veterinary"
"value": "Veterinary",
"uuid": "4bc73e7c-d174-4faf-9176-d0ccc8ccfbbf"
},
{
"value": "Marketing"
"value": "Marketing",
"uuid": "ee5720bb-c638-46f8-bdf2-55579bf37eb2"
},
{
"value": "Video Sharing"
"value": "Video Sharing",
"uuid": "55d12d41-c558-4cdf-b2c5-f246403ca68f"
},
{
"value": "Advertising"
"value": "Advertising",
"uuid": "b018010e-272e-4ca9-8551-073618d7f2ad"
},
{
"value": "Investment"
"value": "Investment",
"uuid": "40d66f31-36c2-42ff-97c6-97b34b5ce04e"
},
{
"value": "Accounting"
"value": "Accounting",
"uuid": "6edffd60-443c-4238-b368-362b47340d8b"
},
{
"value": "Programming"
"value": "Programming",
"uuid": "855f40e1-074e-4818-8082-696a54adf13f"
},
{
"value": "Managed Services Provider"
"value": "Managed Services Provider",
"uuid": "f9260307-f792-4e60-8aa5-e2b4f84adadb"
},
{
"value": "Lawyers"
"value": "Lawyers",
"uuid": "56eee132-fc01-410c-ada0-44d713443bf2"
},
{
"value": "Civil society"
"value": "Civil society",
"uuid": "9c1f6a5b-d9de-4cce-a024-7437cb20e24e"
},
{
"value": "Petrochemical"
"value": "Petrochemical",
"uuid": "1f1c762b-1e39-4989-8679-cc1f9cb08349"
},
{
"value": "Immigration"
"value": "Immigration",
"uuid": "bfd171a5-33f5-4c79-81c5-3dda99dae559"
}
],
"version": 1,

27
clusters/tds.json
View File

@ -10,7 +10,8 @@
"type": [
"Commercial"
]
}
},
"uuid": "94c57fc0-4477-4643-b539-55ba8c455df6"
},
{
"value": "BlackTDS",
@ -22,7 +23,8 @@
"type": [
"Underground"
]
}
},
"uuid": "d5c0cf8d-8ed0-4fa2-a2e6-7274516ea1c8"
},
{
"value": "ShadowTDS",
@ -31,7 +33,8 @@
"type": [
"Underground"
]
}
},
"uuid": "2680a4b1-84d1-4af0-8126-4429a90f8ef8"
},
{
"value": "Sutra",
@ -43,7 +46,8 @@
"type": [
"Commercial"
]
}
},
"uuid": "67f21003-bbc8-4993-b615-f990e539929f"
},
{
"value": "SimpleTDS",
@ -58,7 +62,8 @@
"type": [
"OpenSource"
]
}
},
"uuid": "aa179c37-1a8a-4761-841a-cc940e19d7be"
},
{
"value": "BossTDS",
@ -70,7 +75,8 @@
"type": [
"Commercial"
]
}
},
"uuid": "5a483b4b-671a-4113-9b99-a115d2d2d644"
},
{
"value": "BlackHat TDS",
@ -82,7 +88,8 @@
"type": [
"Underground"
]
}
},
"uuid": "36aa3b2d-4927-45e5-be08-f30144fd1909"
},
{
"value": "Futuristic TDS",
@ -91,7 +98,8 @@
"type": [
"Underground"
]
}
},
"uuid": "19d8eab9-72d5-4f22-affb-c0d6aed66346"
},
{
"value": "Orchid TDS",
@ -100,7 +108,8 @@
"type": [
"Underground"
]
}
},
"uuid": "ec0048f2-a7b2-4a71-83de-6e8fe4fef252"
}
],
"version": 3,

575
clusters/threat-actor.json
View File

File diff suppressed because it is too large Load Diff

1142
clusters/tool.json
View File

File diff suppressed because it is too large Load Diff

21
tools/add_missing_uuid.py Normal file
View File

@ -0,0 +1,21 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import argparse
import uuid
parser = argparse.ArgumentParser(description='Add missing uuids in clusters')
parser.add_argument("-f", "--filename", required=True, help="nameof the cluster (without .json)")
args = parser.parse_args()
with open(args.filename+'.json') as json_file:
data = json.load(json_file)
json_file.close()
for value in data['values']:
if 'uuid' not in value:
value['uuid'] = str(uuid.uuid4())
with open(args.filename+'.json', 'w') as json_file:
json.dump(data, json_file, indent=4)