add tools and rat

2017-09-06 09:51:52 +02:00 · 2017-09-06 09:51:52 +02:00 · da5b1d2ed3
parent 568557c1af
commit da5b1d2ed3
2 changed files with 18 additions and 0 deletions
--- a/clusters/rat.json
+++ b/clusters/rat.json
@ -1161,6 +1161,15 @@
      },
      "description": "In September of 2015, a DigiTrust client visited a web link that was providing an Adobe Flash Player update. The client, an international retail organization, attempted to download and run what appeared to be a regular update. The computer trying to download this update was a back office system that processed end of day credit card transactions. This system also had the capability of connecting to the corporate network which contained company sales reports.\nDigiTrust experts were alerted to something malicious and blocked the download. The investigation found that what appeared to be an Adobe Flash Player update, was a Remote Access Trojan called NanoCore. If installation had been successful, customer credit card data, personal information, and internal sales information could have been captured and monetized. During the analysis of NanoCore, our experts found that there was much more to this RAT than simply being another Remote Access Trojan.",
      "value": "NanoCore"
+    },
+    {
+      "description": "The Zscaler ThreatLabZ research team has been monitoring a new remote access Trojan (RAT) family called Cobian RAT since February 2017. The RAT builder for this family was first advertised on multiple underground forums where cybercriminals often buy and sell exploit and malware kits. This RAT builder caught our attention as it was being offered for free and had lot of similarities to the njRAT/H-Worm family",
+      "value": "Cobian RAT",
+      "meta": {
+        "refs": [
+          "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat"
+        ]
+      }
    }
  ]
 }
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -2971,6 +2971,15 @@
          "https://www.cylance.com/en_us/blog/threat-spotlight-is-fireball-adware-or-malware.html"
        ]
      }
+    },
+    {
+      "value": "ShadowPad",
+      "descrition": "ShadowPad is a modular cyber-attack platform that attackers deploy in victim networks to gain flexible remote control capabilities. The platform is designed to run in two stages. The first stage is a shellcode that was embedded in a legitimate nssock2.dll used by Xshell, Xmanager and other software packages produced by NetSarang. This stage is responsible for connecting to “validation” command and control (C&C) servers and getting configuration information including the location of the real C&C server, which may be unique per victim. The second stage acts as an orchestrator for five main modules responsible for C&C communication, working with the DNS protocol, loading and injecting additional plugins into the memory of other processes.",
+      "meta": {
+        "refs": [
+          "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf"
+        ]
+      }
    }
  ]
 }