add several rqansomware and HookAds campaign

2018-11-13 12:20:37 +01:00 · 2018-11-13 12:20:37 +01:00 · f55277b682
parent 46dba06e40
commit f55277b682
4 changed files with 87 additions and 9 deletions
--- a/clusters/banker.json
+++ b/clusters/banker.json
@ -980,7 +980,8 @@
      "description": "It's a Trojan that includes banking site web injections and stealer functions. It consists of a downloader component that downloads an encrypted file containing the main DLL. The DLL, in turn, connects using raw TCP connections to port 443 and downloads additional modules (i.e. VNCDLL.dll, StealerDLL.dll, ProxyDLL.dll)",
      "meta": {
        "refs": [
-          "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0"
+          "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0",
+          "https://www.bleepingcomputer.com/news/security/danabot-banking-malware-now-targeting-banks-in-the-us/"
        ]
      },
      "related": [
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@ -3287,7 +3287,11 @@
          ".id-BCBEF350.[Beamsell@qq.com].bip",
          ".boost",
          ".[Darknes@420blaze.it].waifu",
-          ".brrr"
+          ".brrr",
+          ".adobe",
+          ".tron",
+          ".AUDIT",
+          ".cccmn"
        ],
        "ransomnotes": [
          "README.txt",
@ -3303,7 +3307,8 @@
          "Info.hta",
          "FILES ENCRYPTED.txt",
          "https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg",
-          "https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg"
+          "https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg",
+          "https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg"
        ],
        "refs": [
          "https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html",
@ -3313,7 +3318,10 @@
          "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/",
          "https://twitter.com/demonslay335/status/1049313390097813504",
          "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/",
-          "https://twitter.com/JakubKroustek/status/1038680437508501504"
+          "https://twitter.com/JakubKroustek/status/1038680437508501504",
+          "https://twitter.com/demonslay335/status/1059521042383814657",
+          "https://twitter.com/demonslay335/status/1059940414147489792",
+          "https://twitter.com/JakubKroustek/status/1060825783197933568"
        ]
      },
      "uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b",
@ -11136,7 +11144,9 @@
        ],
        "refs": [
          "https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-now-installing-the-kraken-cryptor-ransomware/",
-          "https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/"
+          "https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/",
+          "https://twitter.com/MarceloRivero/status/1059575186117328898",
+          "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/"
        ]
      },
      "uuid": "c49f88f6-c87d-11e8-b005-d76e8162ced5",
@ -11288,7 +11298,62 @@
      },
      "uuid": "e90a57b5-cd17-4dce-b83f-d007053c7b35",
      "value": "Rektware"
+    },
+    {
+      "meta": {
+        "extensions": [
+          ".mariacbc"
+        ],
+        "ransomnotes": [
+          "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/9/moira.jpg"
+        ],
+        "refs": [
+          "https://twitter.com/malwrhunterteam/status/1058775145005887489",
+          "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/"
+        ],
+        "synonyms": [
+          "M@r1a",
+          "BlackHeart"
+        ]
+      },
+      "uuid": "1009b7f3-e737-49fd-a872-1e0fd1df4c00",
+      "value": "M@r1a ransomware"
+    },
+    {
+      "description": "",
+      "meta": {
+        "extensions": [
+          "(enc) prepend"
+        ],
+        "ransomnotes": [
+          "aboutYourFiles.txt",
+          "Hi. Thank you for using my program. If you're reading this, a lot of your files have\nbeen encrypted. To decrypt them, you need my decryption program. For this, I want 25 000 sek, I want\nthem in bitcoin. Email me when you've paid with details about the transaction. I'll give you two days.\nIf you have not paid in two days(from the day you received the email), It will cost 1000 sek more per day.\n  If I have not heard from you after five days (from the day you received the email), I assume your files are not that\nimportant to you. So I'll delete your decryption-key, and you will never see your files again.\n\n\nAfter the payment, email me the following information:\n* the bitcoin address you sent from (important, write it down when you do the transaction)\n* the ID at the bottom of this document (this is important!! Otherwise I don't know which key belongs\nto you).\nThen I will send you the decryption-program and provide you with instructions of how to remove\nthe virus if you have not already figured it out.\n\n\nEmail:\naperfectday2018@protonmail.com\n\nBitcoin adress:  \n1LX3tBkW161hoF5DbGzbrm3sdXaF6XHv2D\n\nMake sure to get the bitcoin adress right, copy and paste and double check. If you send the bitcoin\nto the wrong adress, it will be lost forever. You cant stop or regret a bitcoin transaction.\n\n\nIMPORTANT:  \n\nDo not loose this document. You also have a copy of it on your desktop.\nDo NOT change any filenames!!! !!!\n\n\nThank you for the money, it means a lot to me.  \n\n\n\nID: [redacted 13 numbers]"
+        ],
+        "refs": [
+          "https://twitter.com/demonslay335/status/1059470985055875074",
+          "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/"
+        ]
+      },
+      "uuid": "ad600737-6d5f-4771-ae80-3e434e29c749",
+      "value": "\"prepending (enc) ransomware\" (Not an official name)"
+    },
+    {
+      "meta": {
+        "extensions": [
+          ".impect"
+        ],
+        "ransomnotes": [
+          "how to get back you files.txt",
+          "Attention MOTHERFUCKER!\n\nAll your main files were encrypted!\n\nYour personal files (documents, databases, jpeg, docx, doc,\netc.) were encrypted, their further using impossible.\nTO DECRYPT YOUR FILES YOU NEED TO BUY A SOFTWARE WITH YOUR UNIQUE PRIVATE KEY. ONLY OUR\nSOFTWARE WILL ALLOW YOU DECRYPT YOUR FILES.\nNOTE:\nYou have only 6 hours from the moment when an encryption was done to buy our software at $300, in bitcoin\nYou all files will get deleted after the lapse of 6 hours.\nAny attempts to remove this encryption will be unsuccessful. You cannot do this without our software with your key.\nDo not send any emails with threats and rudeness to us. Example of email format: Hi, I need a decryption of my files.\n\nBitcoin address = 1GstvLM6SumX3TMMgN9PvXQsEy3FR9ZqWX\n\nContact us by email only: ayaan321308@gmail.com",
+          "https://pbs.twimg.com/media/DrkmCriWwAMCdqF.jpg"
+        ],
+        "refs": [
+          "https://twitter.com/demonslay335/status/1060921043957755904"
+        ]
+      },
+      "uuid": "f7fa6978-c932-4e62-b4fc-3fbbbc195602",
+      "value": "PyCL Ransomware"
    }
  ],
-  "version": 42
+  "version": 43
 }
--- a/clusters/stealer.json
+++ b/clusters/stealer.json
@ -14,7 +14,9 @@
      "meta": {
        "date": "March 2018.",
        "refs": [
-          "https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap"
+          "https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap",
+          "https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/",
+          "https://traffic.moe/2018/11/10/index.html"
        ]
      },
      "related": [
@ -54,5 +56,5 @@
      "value": "AZORult"
    }
  ],
-  "version": 3
+  "version": 4
 }
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -5999,7 +5999,17 @@
      },
      "uuid": "c2d5a052-dc30-11e8-9643-d76f3b9c94fa",
      "value": "EvilTraffic"
+    },
+    {
+      "description": "HookAds is a malvertising campaign that purchases cheap ad space on low quality ad networks commonly used by adult web sites, online games, or blackhat seo sites. These ads will include JavaScript that redirects a visitor through a serious of decoy sites that look like pages filled with native advertisements, online games, or other low quality pages. Under the right circumstances, a visitor will silently load the Fallout exploit kit, which will try and install its malware payload.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/"
+        ]
+      },
+      "uuid": "dce617eb-a3b6-4a9a-bd76-575c424f9761",
+      "value": "HookAds"
    }
  ],
-  "version": 77
+  "version": 78
 }