Merge pull request #310 from Delta-Sierra/master

add several clusters
2018-12-07 21:32:00 +01:00 · 2018-12-07 21:32:00 +01:00 · ec7dd3b123
parent ac2b5dbe05 bf77e1125a
commit ec7dd3b123
3 changed files with 97 additions and 6 deletions
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@ -3292,7 +3292,10 @@
          ".tron",
          ".AUDIT",
          ".cccmn",
-          ".fire"
+          ".fire",
+          ".myjob",
+          ".[cyberwars@qq.com].war",
+          ".risk"
        ],
        "ransomnotes": [
          "README.txt",
@ -10015,7 +10018,9 @@
          ".mammon",
          ".omerta",
          ".bomber",
-          ".CRYPTO"
+          ".CRYPTO",
+          ".lolita",
+          ".stevenseagal@airmail.cc"
        ],
        "ransomnotes": [
          "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT",
@ -10027,7 +10032,9 @@
          "!!!ReadMeToDecrypt.txt",
          "Attention, all your files are encrypted with the AES cbc-128 algorithm!\n \nIt's not a virus like WannaCry and others, I hacked your computer,\nThe encryption key and bitcoin wallet are unique to your computer,\nso you are guaranteed to be able to return your files.\n \nBut before you pay, you can make sure that I can really decrypt any of your files.\n \nTo do this, send me several encrypted files to cyrill.fedor0v@yandex.com, a maximum of 5 megabytes each, I will decrypt them\nand I will send you back. No more than 5 files. Do not forget to send in the letter bitcoin address 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u from this file.\n \nAfter that, pay the decryption in the amount of 500$ to the bitcoin address: 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u\nAfter payment, send me a letter to cyrill.fedor0v@yandex.com with payment notification.\nOnce payment is confirmed, I will send you a decryption program.\n \nYou can pay bitcoins online in many ways:\nhttps://buy.blockexplorer.com/ - payment by bank card\nhttps://www.buybitcoinworldwide.com/\nhttps://localbitcoins.net\n \nAbout Bitcoins:\nhttps://en.wikipedia.org/wiki/Bitcoin\n\n If you have any questions, write to me at cyrill.fedor0v@yandex.com\n \nAs a bonus, I will tell you how hacked your computer is and how to protect it in the future.",
          "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/Scarab-ransomware.jpg",
-          "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsnFZrGX4AE2H1c[1].jpg"
+          "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsnFZrGX4AE2H1c[1].jpg",
+          "_How to restore files.TXT",
+          "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds8PMFpW0AIcYuJ[1].jpg"
        ],
        "refs": [
          "https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/",
@ -11448,7 +11455,59 @@
      },
      "uuid": "7f82fb04-1bd2-40a1-9baa-895b53c6f7d4",
      "value": "DeLpHiMoRix"
+    },
+    {
+      "description": "@GrujaRS discovered a new in-dev ransomware called EnyBeny Nuclear Ransomware that meant to append the extension .PERSONAL_ID:.Nuclear to encrypted files, but failed due to a bug.",
+      "meta": {
+        "extensions": [
+          ".PERSONAL_ID:.Nuclear"
+        ],
+        "ransomnotes": [
+          "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds4IYbfWsAECNuJ[1].jpg",
+          "https://pbs.twimg.com/media/Ds4IKL3X4AIHKrj.jpg",
+          "https://pbs.twimg.com/media/Ds4IYbfWsAECNuJ.jpg"
+        ],
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-30th-2018-indictments-sanctions-and-more/",
+          "https://twitter.com/GrujaRS/status/1066799421080461312",
+          "https://www.youtube.com/watch?v=_aaFon7FVbc"
+        ]
+      },
+      "uuid": "950d5501-b5eb-4f53-b33d-76e789912c16",
+      "value": "EnyBeny Nuclear Ransomware"
+    },
+    {
+      "description": "Michael Gillespie discovered a new ransomware that renamed encrypted files to \"[[email]][original].[random].lucky\" and drops a ransom note named _How_To_Decrypt_My_File_.txt.",
+      "meta": {
+        "extensions": [
+          "[<email>]<original>.<random>.lucky"
+        ],
+        "ransomnotes": [
+          "_How_To_Decrypt_My_File_.txt",
+          "I am sorry to tell you.\nSome files has crypted\nif you want your files back , send 1 bitcoin to my wallet\nmy wallet address : 3HCBsZ6QQTnSsthbmVtYE4XSZtism4j7qd\nIf you have any questions, please contact us.\n\nEmail:[nmare@cock.li]"
+        ],
+        "refs": [
+          "https://twitter.com/demonslay335/status/1067109661076262913",
+          "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-30th-2018-indictments-sanctions-and-more/"
+        ]
+      },
+      "uuid": "a8eb9743-dfb6-4e13-a95e-e68153df94e9",
+      "value": "Lucky Ransomware"
+    },
+    {
+      "description": "Over 100,000 thousand computers in China have been infected in just a few days with poorly-written ransomware that encrypts local files and steals credentials for multiple Chinese online services. The crooks show a screen titled UNNAMED1989 and demand the victim a ransom of 110 yuan ($16) in exchange for decrypting the files, payable via Tencent's WeChat payment service by scanning a QR code.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/ransomware-infects-100k-pcs-in-china-demands-wechat-payment/",
+          "https://www.bleepingcomputer.com/news/security/chinese-police-arrest-dev-behind-unnamed1989-wechat-ransomware/"
+        ],
+        "synonyms": [
+          "UNNAMED1989"
+        ]
+      },
+      "uuid": "b2aa807d-98fa-48e4-927b-4e81a50736e5",
+      "value": "WeChat Ransom"
    }
  ],
-  "version": 44
+  "version": 45
 }
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -563,7 +563,9 @@
          "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf"
        ],
        "synonyms": [
-          "Operation Tropic Trooper"
+          "Operation Tropic Trooper",
+          "Operation TropicTrooper",
+          "TropicTrooper"
        ]
      },
      "uuid": "4fd409a9-db86-46a5-bdf2-b6c8ee397a89",
@ -6038,6 +6040,26 @@
      },
      "uuid": "608a903a-8145-4fd1-84bc-235e278480bf",
      "value": "DNSpionage"
+    },
+    {
+      "description": "Dubbed DarkVishnya, the attacks targeted at least eight banks using readily-available gear such as netbooks or inexpensive laptops, Raspberry Pi mini-computers, or a Bash Bunny - a USB-sized piece hardware for penetration testing purposes that can pose as a keyboard, flash storage, network adapter, or as any serial device.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/netbooks-rpis-and-bash-bunny-gear-attacking-banks-from-the-inside/"
+        ]
+      },
+      "uuid": "db7fd7dd-28f7-4e8d-a807-8405e4b0f4e2",
+      "value": "DarkVishnya"
+    },
+    {
+      "description": "What’s noteworthy is that according to the introduction on the compromised website of the polyclinic (http://www.p2f.ru), the institution was established in 1965 and it was founded by the Presidential Administration of Russia. The multidisciplinary outpatient institution mainly serves the civil servants of the highest executive, legislative, judicial authorities of the Russian Federation, as well as famous figures of science and art.\nSince it is the first detection of this APT attack by 360 Security on a global scale, we code-named it as “Operation Poison Needles”, considering that the target was a medical institution. Currently, the attribution of the attacker is still under investigation. However, the special background of the polyclinic and the sensitiveness of the group it served both indicate the attack is highly targeted. Simultaneously, the attack occurred at a very sensitive timing of the Kerch Strait Incident, so it also aroused the assumption on the political attribution of the attack.",
+      "meta": {
+        "refs": [
+          "http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN"
+        ]
+      },
+      "uuid": "08ff3cb6-c292-4360-a978-6f05775881ed",
+      "value": "Operation Poison Needles"
    }
  ],
  "version": 82
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -7433,7 +7433,17 @@
      },
      "uuid": "43dec915-2511-4275-8007-685402ffab08",
      "value": "Rotexy"
+    },
+    {
+      "description": "A recently discovered cryptomining operation forces access to Windows servers to use their CPU cycles for mining Monero coins. Detected six months ago, the activity went through multiple stages of evolution.\nSince it was spotted in mid-June, the malware received two updates and the number of attacks keeps increasing.\nThe researchers at CheckPoint analyzed the new threat and gave it the name KingMiner. They found that it targets Microsoft IIS and SQL Servers in particular and runs a brute-force attack to gain access. Once in, the malware determines the CPU architecture and checks for older versions of itself to remove them.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/new-kingminer-threat-shows-cryptominer-evolution/"
+        ]
+      },
+      "uuid": "a9467439-48d8-4f68-9519-560bb6430f0c",
+      "value": "KingMiner"
    }
  ],
-  "version": 103
+  "version": 104
 }